What are the IoT Security Standards?
By Connor Craven
Internet of Things (IoT) security standards are few and far between and are rarely mandatory or part of industrial or governmental regulations like other IT standards. This article will cover the following published documents: The first two are somewhat similar and together show there is some agreement over how IoT devices can be secured.
- The National Institute of Standards and Technology’s (NIST’s) set of basic IoT security practices for manufacturers.
- The European Union Agency for Cybersecurity’s (ENISA’s) baseline recommendations for IoT device security.
- The portion of the California civil code that mandates security of IoT devices.
However, there hasn’t been a powerful enough push to make universal IoT security standards. The California law is one of the only instances globally of a governmental law regarding IoT device privacy and security. The first two are somewhat similar and together show there is some agreement over how IoT devices can be secured. However, there hasn’t been a powerful enough push to make universal IoT security standards. The California law is one of the only instances globally of a governmental law regarding IoT device privacy and security.
NIST-Recommended Practices for IoT Device Manufacturers
The May 2020 NIST document, “Foundational Cybersecurity Activities for IoT Device Manufacturers,” guides IoT device manufacturers on how to better secure their IoT devices.
The document recommends six techniques manufacturers can use to add security capabilities to IoT devices. Four of them apply to how a manufacturer can think about security before making a device. The other two techniques are for supporting sold devices.
Identify expected customers and users, and define expected use cases
Essentially, a manufacturer should research who would want to buy the device and why. This should be done early in the design process to make decisions for what security tools to use and how to integrate them.
Research customer cybersecurity needs and goals
Using the information from customer research, manufacturers can hone in on relevant security risks. Of course, manufacturers cannot know every customer’s risks. However, the goal is to make the devices at least minimally securable by the customer expected to buy the devices for the expected use cases.
Determine how to address customer needs and goals
With the knowledge from researching security risks, manufacturers can figure out how to use security capabilities to make devices at least minimally securable. NIST suggests manufacturers review its “IoT Device Cybersecurity Capability Core Baseline” publication.
Plan for adequate support for customer needs and goals
Manufacturers should be able to provision hardware and software resources to support security capabilities. Additionally, manufacturers should think about what they will need to provide ongoing development and support of their IoT devices — for example, secure coding practices, vulnerability response, and flaw remediation.
Define approaches for communicating to customers
Once a manufacturer has sent its device to market, it must clearly communicate with customers about the devices’ security risks. Communication can be direct to the customer or to an organization acting on the customer’s behalf. For example, a manufacturer can send information to a managed security services provider instead of directly to customers.
Decide what to communicate to customers and how to communicate it
Topics to communicate to customers include:
- How long devices will be supported and when end-of-life will occur.
- How customers can report vulnerabilities.
- Information on the device’s software, hardware, services, functions, and data types.
- If updates are available, when and how they will be distributed, and how customers can verify the source of the update is the manufacturer.
The NIST publication is a voluntary set of practices that manufacturers can decide to use on their own.
European Union Baseline Security Recommendations
The November 2017 ENISA publication, “Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures,” has three overarching themes for security measures:
- Technical measures
- Organizational, people, and process measures
The technical measures suggested include several hardware and software security approaches. Examples of these technical measures include hardware root of trust, automatic update rollbacks, and hard-to-crack default passwords unique to each device. Manufacturers should take into account how fast their products will sell and the scalability needed for the chosen security measures.
When it comes to security policies, they need to be extensive enough to secure an organization’s system and be well documented. Categories include security by design, privacy by design, and risk and threat identification and assessment. Security by design and privacy by design focus on integrating security and privacy into the IoT system rather than adding each at the end of development. Risk and threat identification and assessment mirror part of the NIST recommendations in suggesting identifying the intended use of the IoT device and where it will be used.
Next, ENISA suggests manufacturers of IoT devices have criteria for how to secure their devices. End-of-life support, again similar to the NIST suggestions, should be disclosed to the customers and patches should be provided until the end-of-support period. Also, communication protocols and cryptographic algorithms should be avoided by IoT device manufacturers. This improves security because hackers can easily find known protocols and keys to access the IoT devices. Manufacturers should have procedures for analyzing and handling security incidents when they occur, and disclosure of their occurrence.
The next recommendation is to train employees in privacy and security practices. Third parties involved in data processing, data sharing, and hardware or software creation should be aware of the applicable security and regulatory requirements for their services.
California IoT Security Law
The California state senate added Senate Bill 327 (SB-327) to the state civil code in November 2018. It requires manufacturers of a connected device to equip it with security features. The features must meet three requirements. First, the security features must be appropriate to the nature and function of the device. In other words, the device won’t have to provide security for functions it does not have. Second, the features must be appropriate to the information the device collects, contains, or transmits. For example, if there is no personal health data on the device, then it may not need to be HIPAA compliant. And third, the security features must be designed to protect the device and information it contains from unauthorized access, destruction, use, modification, or disclosure. Essentially, the features must prevent malicious actors from getting access to the device or its data.
According to the law, if a connected device is able to authenticate users when outside a LAN, then it is considered to have a reasonable security feature. Two requirements are still needed. First, the preprogrammed password of the device must be unique to each device made. Second, the IoT device must force a user to create new credentials before they can access the device for the first time.