Where are the IoT security startups? - Embedded.com

Where are the IoT security startups?

Security is a broad concept even within a specific arena such as embedded systems. Basic security principles are applicable whether the asset to be protected is physical or virtual, so one can understandably question the appropriateness of confining a discussion about security to a particular market such as the Internet of Things (IoT). The IoT is unique, however, in the way its assets stretch out broadly across both physical and virtual domains — encompassing individual devices and open communications channels at known sites as well as geographically dispersed data sets and application running on virtual servers. Rather than some nicely compartmentalized system, an IoT application is pretty much a security nightmare from end to end. Even so, you'd think that the dissonance between excitement over IoT opportunities on one hand and concern about IoT security on the other would yield a rich breeding ground for companies targeting IoT security. Yet, in its latest look at 60 noteworthy startups, EE Times identified only one security-related startup, which begs the question: Where are the IoT security startups? 

From a security point of view, the IoT is different from nearly any other application segment. Few applications expose as many threat surfaces simultaneously. Industrial network applications probably most closely resemble IoT applications but have the distinct advantage of physical protection and isolation. Even so, closed industrial networks have been famously compromised. In contrast, a typical IoT application is open and easily accessible. IoT security solutions must start with the assumption that security is compromised at the outset, because anyone can physically acquire one of the application's IoT nodes and attack it in the comfort of their own home workshop or nationally funded laboratory. Not suprisingly, researchers have exposed security flaws in connected products including automobiles, closed-circuit cameras, and even light bulbs. Concerns understandably remain over zero-day vulnerabilities across the connected world.

That challenge, in a nutshell, is the easy answer to the dearth of IoT security startups: It's really really hard. Yet, that very kind of challenge has always attracted some of the best minds in math, science and engineering. The true answers might have less to do with technology than with business factors. In its recent report, Cybersecurity Venture Investment in Pervasive Computing and the IoT, Lux Research looked at 77 IoT-related startups and found a remarkable shortfall in venture funding. According to Lux Research, the 77 startups it studied “…raised just $808.6 million in venture funding over the last 16 years — and 42 of them had little or no venture backing at all.”

It's interesting to note that in both the EE Times list and in the Lux Research report, some of the companies have been around long enough to stretch the definition of “startup.” In terms of market presence, however, these companies are in a long-running battle for recognition. IoT security-solutions vendors face a cost-sensitive market and security is a cost that does not translate into a new, exciting feature for the user. Cybersecurity vendors often say that their products are like insurance — something nobody wants to pay for until it's too late. Adding to the difficulty, good security imposes certain demands on product users, who typically balk at extra steps required to actually get a “connected” product online (see typical user comments for any home-based Wi-Fi router or access point). 

Along with the difficulty in proving commercial viability, third-party security-solution providers face a significant legal challenge. As Lux Research points out, the anti-circumvention rules in Section 1201 of the Digital Milennium Copyright Act prohibits developers from bypassing a device's own code without permission from the rights owner of the device code. While efforts are underway to sue for injunctive relief from anti-cimcumvention restrictions, few startups or venture financiers can afford to rely on expectations for an individual waiver much less a quick, satisfactory legal or legislative solution. On the other hand, perhaps another possible answer to the lack of security startup visibility lies hidden within the constraints of Section 1201. We'll never know how many stealth startups are working security solutions in close cooperation and with funding from industry leaders looking for security solutions for their connected automobiles, medical devices, and others. Similarly, we'll never know how many stealth startups are adhering to the basic rule of security: Keep quiet.

Continue to page 2 >>

Despite the limitations and difficulties facing them, startups continue to emerge with technologies that address IoT security either directly or indirectly through fundamental mechanisms. For example, Intrinsic ID, the sole security-focused company named in the EE Times list of 60 noteworthy startups, offers technology for physically unclonable functions (PUF). As with any fundamentalliy sound security mechanism, PUF technology is application-agnostic and can harden security in any connected embedded systems design by hardening crypto key security — a vital security mechanism and perhaps even the most important according to Kerckhoffs's Principle. Similarly, several startups are looking to replace the traditional security workstation with automated mechanisms for threat detection, identification and mitigation at the enterprise level. IoT applications can benefit from many security features geared to the enterprise, but generally encompass a different set of requirements (and are not included in the list of startups below). 

With the caveat that the next security leader might well be creating the next great solution in stealth mode, here's a quick list of 10 companies (arranged alphabetically) that have emerged relatively recently with solutions that could benefit IoT applications developers: 

  • Argus Cyber Security  targets security for connected vehicles with a multilayered approach extending from selected electronic control units such as brakes to in-vehicle network protection and wireless connectivity protection for infotainment and telematic subsystems. Designed for automotive manufacturers and their Tier 1 suppliers, the solutions are intended to provide end-to-end security. 

  • Bastille  focuses on RF vulnerability and provides proprietary software and sensors to scan the customer environment to identify RF threats and RF-based data leakage. The company says its patented solution also provides complete, comprehensive visibility into the location and movement of each IoT device – helping protect physical and human assets. 

  • Bbotx  offers a secure managed software platform for managing connected devices and data from those devices. The company is developing both software and hardware designed to support secure data integration.

  • Device Authority  is targeting IoT security with a platform designed for secure registration, provisioning, and updating of devices. The company's approach combines its proprietary software with “flexible service connectors” designed for rapid integration with external providers. 

  • DoJo Labs  targets smart connected home security with a home-based device that monitors the home network for threats and works with the company's cloud-based application for threat analysis and mitigation. 

  • Power Fingerprinting (PFP) Cybersecurity  analyzes power usage on devices to detect potential threats. The company combines optional device-level firmware (for Xilinx's Zynq SoC) with cloud-based analytics, using machine learning to find deviations from the expected baseline usage that could indicate unauthorized activity (see figure). 

    Figure. PFP technology analyzes power usage to identify usage variations that could indicate threats. (Source: PFP)

  • Runsafe Security  targets automotive security with hardware and software designed to block physical or virtual attacks in real time. Plugged into a vehicle's OBD-ii port, the company's Vehicle Guardian dongle is designed to block unauthorized messages transmitted across the CAN bus (the threat vector used in vehicle hacking demonstrations). Other products are designed to offer broader applications and OS threat reduction. 

  • Securithings  focuses on analytics for threat detection, offering software agents designed to simplify integration with common IoT platforms. 

  • Twistlock  is not IoT-specific but is included here because it addresses container security. Container systems such as Docker have emerged as popular devops solutions for running applications in virtualized environments. As such, Twistlock represents a unique offering with clear applicability to IoT applications development.

  • Virta Labs  offers managed services designed for the healthcare industry. Its BlueFlow software monitors clinical and device networks to identify potential problems without interrupting clinical workflow. 

2 thoughts on “Where are the IoT security startups?

  1. “Good to see this topic being brought up. And yes, sometimes it is not startups in the traditional sense. For example, we are 23 years old as a company, but two years ago have completely pivoted to focus on providing Apple HomeKit solutions for the device

    Log in to Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.