Today, April 9th is officially IoT day, so we couldn’t miss the opportunity to highlight how far IoT has come over the years, a significant, disruptive force creating a transformational connected world with endless benefits for society, worldwide.
However, we cannot ignore the growing attack surface, and thus today we focus on one of the biggest challenges in IoT for organizations – SECURITY. Let’s also ensure we include SAFETY in the mix as this is becoming increasingly important in healthcare and medical device environments where patient safety is paramount.
IoT security and safety can be perceived as a difficult task or project, but with the right expertise, guidance and solutions, it’s actually more straight forward than you may believe it is.
Recently there has been an increase in the number of guidelines, standards and even regulations for IoT security. If you haven’t already, take a look at the IoT Security Foundation who are pioneering various frameworks to guide those involved in making a conscious effort to consider security in every step of their IoT journey, including; IoT users / consumers, device makers / manufacturers, service providers, software product vendors, network operators, system specifiers, integrators, distributors, retailers, insurers, local authorities, government agencies and other stakeholders.
One of our EMEA security experts, Paul Lockley, has reviewed the latest publication from European Telecommunications Standards Institute (ETSI), an independent, not-for-profit, standardization organization in the telecommunications industry in Europe. Their latest standard / technical specification “CYBER; Cyber Security for Consumer Internet of Things” is intended to improve and ruggedize the approach to consumer based IoT. Before we go into the standard in more detail, we reflect on what is important for IoT security in general.
The 3 key principles of IoT security
- Device Trust
- Data Trust
- Secure Updates
How can I validate the identity of a device and ensure that it has not been cloned/spoofed?
How can I ensure that information to/from a device has not been tampered with, or that I am not inadvertently not compliant?
How can I make an update to a device if it is compromised or I want to update the underlying credentials for its identity?
What ETSI has delivered is a best practice standards framework, but like many other standards I feel it misses the opportunity to be more specific.
Companies should comply with having a Coordinated Vulnerability Disclosure (CVD) framework and have a duty of care to the consumers of their products and services. This aligns with the need to monitor, identify and remediate issues and vulnerabilities as an ongoing process. There needs to be more detail on the How?
Secure software updates are one of the primary requirements for IoT safety and also one of the greatest threats to device integrity. If you have a known vulnerability how can you patch it?
Once you have updated, how can you ensure that what is on the device hasn’t been changed?
Password management, which is possibly the biggest open door for cyber-criminals currently when it comes to IoT or connected devices, is seemingly one of the biggest hurdles to cross for device manufacturers. One-time forced update. Centralized control with Audit logs. There are easy processes that make very big differences.
Communicate Securely. I suspect this could have been a very long chapter with lots of points for debate when writing the document. The element that could have been more clearly defined here is Compliance. While referred to later, albeit in short, this will be one of the defining drivers to push the envelope on tailored encryption of data.
In talking to the handling of GDPR data, how can ownership transfer be effectively managed and executed? Alternative approaches to encryption can allow simple deactivation of data without the need to change the device itself. This fulfils some of the prerequisites of things such as Data Deletion Requests.
While the Enforcer of change is GDPR it would be good to see stronger guidelines from the standards bodies that draw more on real world challenges and solutions.
The more detail standards bodies provide, the clearer the message becomes. When legislative changes also filter through (GDPR, California SB 327 Law and several more in the pipeline), the impact can potentially be very significant. The is ample time for companies to put in the ground work when they build devices and services, but not everyone has the same appetite to do the right thing.
At Device Authority we take Device and Data security seriously. Our market leading solutions for Authentication, Lifecycle Management and Definable Encryption help organizations build and deliver secure device & services. To find out more visit our KeyScaler platform page, or Contact Us to arrange a demonstration.