Secure IoT? 1,001 Recommendations
It’s been shown and surveyed sufficiently: IoT security issues hinder adoption and pose a risk not just to revenues but infrastructure and privacy.
This realization has triggered recommendations, guidelines and standards on how to fix it. For example, the IoT Secuity Foundation published a framework and guidelines and the IIC published a security framework with details on over 170 pages. NIST has Considerations on 260 pages and there is a bill in the senate. Microsoft, Intel and AT&T have their own guides.
There are enough recommendations to fill buckets and lists. Case in point: the NIST report (November 2018) contains 185 pages listing relevant standards. And multiple active listings try to keep track with the growing number like those from David Rogers, Bruce Schneier and NTIA.
This makes sense – IoT is about many different things and every “Thing” has its own attacks and appropriate security levels. We are now thinking about approaches that would offer a reputation for different things - an overarching system that can be used to assign trust to every “Thing.” After all, the standard does not really matter to the end user but rather the trust lies in some “Thing.” (I’ll write about this in a separate post, back to the recommendations and standards.)
Overall, many standards boil down to a few central rules; security is not only a process but it is also a moving target. Keeping a lookout for the weakest link is a lesson we have learned from our anti-piracy work and that is not different in other domains. We may not know which link will have an exploitable weakness, but it surely helps to keep track of different levels.
An overview of these levels is the best way to start and a good list I have seen has been published by the UK DCMS. As part of the security by design initiative they have published a code of practice - it’s a check list of 13 important measures, but it is not yet another list of recommendations. It comes with a full list of references and links to the other recommendations taken from the lists mentioned above. All this is visualized in a big overall picture and individual references for each of these elements on iotsecuritymapping.uk.
To me, the visual above (available here) is a great way to browse deeper into individual recommendations, but it can also be a way to focus on the important items, while being reassured that it is based on research of more than 100 documents from almost 50 different organizations analyzing 1,001 different recommendations (or at least the 785 accumulated pointers to specific items in the documents from the 13 code of practice items).
I am interested in the topic as I am involved in another initiative by the ioXt alliance, that meets to discuss industry goals and often centers around similar goals. They are at the core of the security practice and actually reflect in many parts what we have done in the past and, with the acquisition by Inside Secure, we are able to provide many of these components as tools for others to secure their systems and to embrace the fundamental security principles.
More details to come soon.