The Cloud Security Alliance (CSA) IoT Working Group said the report titled: Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products, is meant to provide developers of IoT devices with an understanding of the security threats faced by their products.
The report talk about the tools and processes that can be used to help safeguard against those threats. It says although IoT systems are complex, encompassing devices, gateways, mobile applications, appliances, web services, datastores, analytics systems and more, this guidance focuses mainly on the ‘devices’ (e.g., the Things).
The CSA Working Group define a secure IoT device as a device that implements sufficient security measures such that an attacker will move on to another target.
“Nothing that is connected is completely secure, however it is possible to make it sufficiently resource-expensive to compromise, that an attacker will deem it illogical to continue down that path,” it argues.
The IoT is here and is already beginning to transform consumer, business and industrial processes and practices.
“It is often heard in our industry that securing IoT products and systems is an insurmountable effort,” said Brian Russell, Chair IoT Working Group and Chief Engineer, Cyber Security Solutions with Leidos.
“However, with the help of our extremely knowledgeable and dedicated volunteers, we are providing a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices, as well as newly emerging IoT startups. We hope to empower developers and organizations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products.”
The year 2015 saw the market adoption of many types of IoT products, we began to see real research that shows the concerns about IoT security are real.
Based on research, we can begin to understand some of the high level needs for IoT product security. These needs include:
- The need to protect consumer privacy
- The need to protect business data and limit exposure of sensitive information
- The need to safeguard against IoT products being used in DDoS attacks or as launching points into the network
- The need to guard against damage or harm resulting from compromise of cyber-physical systems
With predictions of 50+ billion devices connected by 2020, IoT products will be widely deployed and gain entrance into our homes, workplaces, vehicles and even airplanes.
Adding interconnectivity between these devices and our existing network infrastructures will open up new attack vectors that many will attempt to exploit.
Security researchers today are working hard to identify vulnerabilities associated with many of the existing IoT products however not all vulnerabilities will be identified and patched prior to a malicious actor making use of them. The consequences of a particular IoT product being used to compromise sensitive user information or worse, to cause harm or damage, will be catastrophic to the product vendor.
Security is not a business driver in the development of IoT products
The CSA conducted a survey of technology startups in 2015 to better understand their motivations related to security of IoT developments. Results from the survey showed that investors and technology startups are not concerned with the security of their products.
They are instead focused on getting their products to market quickly and ensuring that core functionality works as expected.
Making things more difficult from an information security perspective, is the need for device developers to consider usability vs. security trade-off.
Since many of these IoT devices depend on other devices to function (e.g., a smartphone), the need for security to be planned at the architecture level is higher than ever before.
In some cases, manufacturers of consumer-based IoT devices have made conscious decisions to forgo security best practices in an effort to make these devices easier to configure by the homeowner.
The CSA report argues that IoT product developers should consider security to be a part of business requirements. Each product being developed should first be examined to understand the unique threats to the product, and then a backlog of security requirements generated to aid in mitigating the potential realization of those threats.
Consumer facing IoT devices have received significant attention from the security community, given their low-cost of acquisition/ high availability.
Although this class of IoT devices may not seem to impact enterprise security postures, a recent report from OpenDNS has shown that these types of devices are being used within corporate environments and are often placed on the enterprise network.
Maintaining a sound security posture for these types of devices benefits everyone.