866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How to Improve Trust in the Source and Content of Internet-of-Things Devices Blog Feature
Scott Perry

By: Scott Perry

Print/Save as PDF

How to Improve Trust in the Source and Content of Internet-of-Things Devices

Crypto and Digital Trust

While they have become increasingly prevalent in modern life, offering opportunities for efficiency, automation, and improved decision-making in various domains, the proliferation of IoT devices also raises important considerations related to security, privacy, data management, and interoperability.

The purpose of IoT devices is to gather information from the physical world and communicate it to other systems for analysis, monitoring, control, or automation—now, there are approximately 15.14 billion connected IoT devices, according to Transforma Insights, and that figure is expected to almost double to 29.42 billion by 2030.

Given that unrelenting wave of IoT devices and our increasing dependence on them, how do we enable greater trust in the source and content of data from these devices? Answering this question began over eight years ago when Internet and Identity architects determined that a re-architecture of the Internet protocol was necessary to maintain and create trust in the source and content of Internet transactions.

In this article, we’ll explore three game-changing components of that proposed restructuring of the internet—decentralized identifiers (DIDs), verifiable credentials (VCs), and governance—to create a better understanding of what will need to be implemented to keep IoT devices, and our increasing reliance on them, safe.

 

Society’s Established Dependence on Highly Sensitive IoT Devices

As we noted already, IoT devices are already incredibly enmeshed in society in many ways, including those in highly sensitive roles in various domains, such as:

Sector

IoT Devices in Use

Healthcare
  • Implantable Medical Devices: Pacemakers, insulin pumps, and neurostimulators are connected to a person’s body and are responsible for critical health functions.
  • Health Monitoring Wearables: ECG monitors and continuous glucose monitors transmit sensitive health data to healthcare providers.

Smart Home
  • Smart Cameras: Indoor and outdoor security cameras can capture sensitive video footage of homes and surroundings.
  • Smart Locks: IoT locks can control access to homes.

Industrial
  • Industrial Control Systems (ICS): Devices that control critical infrastructure, such as power plants and manufacturing processes.

Smart City
  • Surveillance Cameras: Public surveillance cameras used in smart city initiatives capture sensitive video data in urban areas.
  • Smart Meters: These devices monitor utilities including electricity, gas, and water usage

Military and Defense
  • Unmanned Aerial Vehicles (UAVs): Military drones and UAVs equipped with IoT technology collect reconnaissance data.

 

If increased trust was achieved, consider how much more confident you would be in the following transactions from a sample of IoT devices:

 

  • “Ted is experiencing a stroke…”
  • “The temperature of the nuclear core is above acceptable levels…”
  • “The drone operating in this jurisdiction has not been successfully registered…”
  • “The video you are watching originates from the White House…”
  • “Perishable human tissue has maintained viable temperature ranges during transport…”
  • “No one has tampered with chips installed on this astronaut’s spacesuit…” 

As enmeshed as IoT devices are, their security characteristics are unfortunately limited due to their proprietary operating systems that use firmware embedded into chips on these devices.

What’s more, the advent of generative AI and advanced video technology not only challenges our ability to distinguish between deep fakes and real people but also muddles our reliance on the source of transactions emitting from any IoT device.

 

3 Components That Could Help Secure IoT Devices

But there is a potential solution.

According to Internet and Identity architects, global deployment of the following game-changing elements as part of a reimagined Internet protocol will help enable greater trust in data sources and content from IoT devices:

  1. Decentralized Identifiers (DIDs)
  2. Verifiable Credentials (VCs)
  3. Governance

1. Decentralized Identifiers

Designed to be globally unique, persistent, and cryptographically verifiable, DIDs represent a way to create and manage digital identities that are not tied to a centralized registry, certificate authority, or a specific intermediary like a tech company or bank.

Key features of this new type of identifier that can be used for truly verifiable digital identity include:

 

  • Decentralization: As they’re intended to be created, owned, and controlled by the individual to whom the DID corresponds, DIDs are not controlled by any single organization or entity.
  • Global Uniqueness: To prevent naming conflicts, DIDs are designed to be globally unique using a combination of cryptographic methods and blockchain technology.
  • Cryptographic Verification: For a strong level of security and trust in online interactions, DIDs are paired with cryptographic keys, allowing the owner to prove ownership and control over their identity.
  • Identity Control: Entities have full control over their own digital identities and can choose when and how to disclose information about themselves.
  • Interoperability: Combined with a strong system of governance, DIDs are designed to work across various systems and platforms, making them suitable for use in a wide range of applications and services.

Given that potential to empower individuals with greater control over their personal information and who has access to it while also making digital interactions more secure and trustworthy, DIDs can be an important building block for creating a more secure and user-centric approach to digital identity—including for IoT devices.

Using DIDs in IoT devices offers several compelling, increasingly apparent benefits while also addressing important challenges that have arisen in the IoT space, including:

 

  1. Ownership and Control: DIDs give IoT device owners more control over their devices' identities and data. Device owners can create and manage their DIDs, reducing reliance on centralized authorities or third parties.
  2. Interoperability: DIDs are designed to work across various platforms and services, making it easier for IoT devices from different manufacturers to interoperate seamlessly, regardless of the underlying infrastructure.
  3. Verifiability: The cryptographic nature of DIDs allows for easy verification of the authenticity of IoT devices, helping to build trust and prevent unauthorized access.
  4. Tamper Resistance: DIDs can be used to create immutable records of device activity, making it difficult for malicious actors to alter device log files or data.
  5. Supply Chain Security: DIDs can be used to track the provenance and ownership of IoT devices throughout their lifecycle, helping to ensure that devices are genuine and have not been tampered with during production and distribution.

Despite this, DID adoption in the IoT space is still evolving—implementing them in IoT devices still requires careful consideration of the specific use case, the choice of decentralized identity systems, and the interoperability with existing IoT protocols and standards.

2. Verifiable Credentials

 

Designed to be both tamper-evident and cryptographically verifiable, VCs are a cryptographically verifiable container of claims that can include content such as qualifications, achievements, or personal attributes (such as age). 

By providing a secure and standardized way for individuals or entities to encapsulate, present, and prove a claim or assertion in a digital format, VCs can not only enhance trust and security in online interactions but in IoT devices as well, which can use verifiable credentials in various ways in different ecosystems:

Use Case

How VCs Could Help

Device Identity and Authentication

If IoT devices were issued VCs, that could help prove each device’s authenticity and provenance, as VCs can be cryptographically signed by the manufacturer or an authorized entity.

Secure Device Onboarding

During the onboarding process of IoT devices, they could be asked to present their VCs to network gateways or platforms in order to gain access/ensure that they are connected to authorized networks or platforms.

Data Provenance and Integrity

IoT devices could issue VCs for the data they generate—including sensor readings and event logs—as the credentials could attest to the source of the data and its integrity, which would help in auditing and verifying its authenticity in a transparent and tamper-evident manner.

Device Trustworthiness

IoT devices could issue credentials that prove their trustworthiness in the form of security patches and firmware updates, as those VCs could be used by other devices or platforms to assess the security posture of IoT devices within the network.

Access Control and Permissions

IoT devices could use VCs when requesting and granting permissions to prove their authorization to access certain resources or services within an ecosystem.

(e.g., a smart door lock could request a credential from an authorized smartphone before granting access)

 

And though the World Wide Web Consortium (W3C) Verifiable Credentials Data Model and associated specifications provides a foundation for the implementation of VCs in IoT systems, implementation would still require careful consideration of:

 

  • Security practices;
  • Cryptography;
  • Appropriate key management;
  • Revocation mechanisms; and
  • Standards compliance, to maintain the security and trustworthiness of the credentials.

3. Governance

 

While IoT manufacturers could implement a set of DIDs and VCs for their own purposes and a greater sense of security, the greatest accountability, reliability, and interoperability for these devices can be forged through enhanced governance. This wouldn’t mean anything brand new—after all, governance and standards programs drove worldwide adoption of IoT devices that use common standards such as USB, Bluetooth, and Wi-Fi.

In principle, a governance scheme for IoT device VCs would require deep knowledge of the pervasive risks, as well as a common set of requirements that participating manufacturers can prescribe—and then be held accountable to by independent auditors—for the greater good of the users and those that rely upon these devices.

The largest hurdle here would be developing industry-specific IoT identity standards to ensure the safety and integrity of these interconnected IoT devices, which would require critical input from the following industry stakeholders:

 

  • Manufacturers
  • Standards organizations
  • Regulatory bodies
  • Technology experts

Some more specific ways in which these stakeholders can get involved in the governance/ developing security standards for IoT devices include:

Industry Consortiums and Standards Bodies:

In fact, some industry consortiums, standards organizations, and trade associations are already at work on IoT security standards and protocols, including:

Regulatory Bodies:

The U.S. National Institute of Standards and Technology (NIST) and the European Union's Cybersecurity Act have already published guidelines and regulations for IoT security, and the EU has also recently finalized the eIDAS 2.0 standard for the use of verifiable credentials and digital wallets for use in their jurisdiction.

Still further legal and compliance requirements—including certification and labeling programs, privacy regulations, and security mandates—are on the table.

Certification Programs:

Industry stakeholders can develop certification programs that verify compliance with established security standards. Devices that meet those standards can earn certification marks, which will build trust among consumers and facilitate market access.

Security by Design:

Manufacturers should adopt a "security by design" approach and integrate security and data verification measures at every stage of IoT device development, from concept and design to production and deployment—that includes implementing:

  • DIDs
  • Secure hardware
  • Robust software
  • Secure communication protocols
  • Regular security updates

Security Audits and Testing:

Industry stakeholders can promote security audits, vulnerability assessments, and testing processes to identify and rectify security weaknesses in IoT devices or non-conformance to standards, as independent third-party security testing can help validate a device's security claims.

Ultimately, governing security standards for IoT devices will require a multi-faceted approach involving collaboration, regulation, education, and ongoing vigilance. As the IoT landscape continues to evolve, industry stakeholders must adapt and improve security measures to address emerging threats and challenges.

 

Driving a Web of Trust

In conjunction with each other working against the specific risk IoT devices face, a standardized mix of all three of these components—DIDs, VCs, and governance—would likely create a “Web of Trust” that would complete the ultimate re-architecture of the Internet in a way that would even satisfy the original coiners of the term “Web 3.0.”

Still, while these elements of digital identity can be a valuable tool in addressing IoT source and data reliability, it's not a silver bullet—as technological advancements in creating deceptive content continue to evolve, we all must take a multi-layered approach that includes technology, education, awareness, and legal measures is necessary to combat this problem effectively.

In the meantime, should you have any related questions regarding digital identity and trust, contact us today to be connected with our technical experts who would be happy to work through these solutions with you.

About Scott Perry

Scott Perry is a Principal at Schellman where he heads up its crypto and digital trust services practice. Prior to joining Schellman in 2022, Scott owned and operated his own firm specializing in cybersecurity consulting audits and governance, GRC implementation, digital identity and verifiable credentials, and WebTrust. Scott is also a Steering Committee member and co-Chairs the Governance Stack Working Group for the Trust Over IP Foundation (a Linux Foundation project). Scott has worked with the world's most respected SSL-certificate issuers, aerospace and defense companies, and government agencies. He has authored and contributed to a comprehensive governance and trust assurance methodology suite for Trust Over IP, has written a key chapter on Trust Assurance in a published book on Self Sovereign Identity and the FinClusive Rulebook. As a hands-on crypto and cybersecurity consultant and auditor, Scott provides deep and impactful advice that you would expect from a leader in the field.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.