It seems that not a day goes by without the Internet of Things (IoT) making headlines. Reports of security weaknesses in IoT devices are becoming more common. While most of the IoT media coverage focuses on devices for personal use, there has been an explosion of IoT devices in the medical and manufacturing industries. These devices provide significant improvements in service, treatment and operations, but can also lead to significant exposure if not properly secured and evaluated. Several organizations such as the Open Web Application Security Project (OWASP), Online Trust Alliance, GMSA and the National Institute of Standards and Technology (NIST) have developed security best practices for the design and use of IoT-connected devices and systems. While no device, interface or network can ever be totally secure, following the guidelines provided by organizations such as these will help to ensure that basic security measures are in place to help prevent attacks and breaches.
As IoT devices are deployed, be it a connected home or an enterprise, the risks are not simply that a device may be compromised for use in a DDoS or Ransomware attack. An unsecured IoT device can provide access by the attack vector allowing entry into the wider network. Yes, the potential benefits these IoT devices offer are significant enough to warrant adoption of the new technologies, but they also present real risks. To mitigate these risks, while simultaneously leveraging these benefits, consumers and enterprises should consider purchasing products that have been tested by a credible third party. Products that successfully attain a demonstrated level of assurance can effectively serve as the foundation for enterprise security product selection and provide a necessary level of integrity to an organization’s security risk management program.
The universe of IoT encapsulates many different things such as medical devices, cameras, wearables, sensors and manufacturing equipment, to list just a few. This variety carries with it a wide array of security needs and potential threat vectors and attack profiles. One device in the world of IoT may differ significantly from another; therefore, an IoT testing program should address the unique classes of IoT device types and their relevant component parts.
Components to be considered for review of the IoT products include:
- Alerting/logging
- Authentication
- Communications
- Cryptography/encryption
- Physical security and platform security
Given the risks associated with security failures, developers should not only have their IoT investments tested, but they should seek out impartial, third-party testing labs with certification programs to verify the IoT solution meets stringent security standards. Specifically, they should seek out labs that understand the risks associated with the variety and proliferation of devices and sensors that make up the IoT, the unique risks associated with the various types of devices and how to test them. Choose a test lab with a strong background in and expertise with security testing and a proven track record with information security products. Failure to select a testing and certification program with a demonstrated background in security testing could lead to longer testing engagements without the critical verifications needed on basic security measures.
About the Author:
George Japak, Program Manager, ICSA Labs