504,114 active members
5,663 visitors online
Register for free
Login Register
WIBU-SYSTEMS Blog

Time for IoT Security Standards?

March 2019
26
med_wibu-systems
Author: med_wibu-systems
Company: WIBU-SYSTEMS AG
Time for IoT Security Standards?

The U.S. Congress recently introduced legislation to address the growing concern for security on IoT devices purchased by the U.S. government.

Does the proposal go far enough? Let’s take a further look.

Legislators point out that connected devices are expected to exceed 20 billion units by 2020 and they say that insecure IoT devices are one of the “most important emerging cyberthreats” to U.S. national security. While the proposed bill wouldn’t require security standards for all IoT companies, it would require a bare minimum of security standards for any IoT devices that the federal government purchases. Their hope is that by improving security standards for the federal government, which is a prime customer, standards for the entire IoT market would improve along with it.

If the legislation passes, the IoT Cybersecurity Improvement Act would require that federal government use only IoT devices that meet the IoT security standards recommended by the National Institute of Standards and Technology (NIST).

To get a better idea as to where NIST is focusing their IoT standardization efforts, it helps to read their whitepaper published in October 2018, Internet of Things Trust Concerns. The publication identifies 17 technical trust-related concerns for individuals and organizations before and after IoT adoption. NIST emphasizes that trust should be viewed as a level of confidence. In their white paper, they consider trust on two levels: (1) whether a “thing” or device trusts the data it receives, and (2) whether a human trusts the “things,” services, data, or complete IoT offerings that it uses. This particular document focuses on the human trust, and as such, highlights technical concerns that can negatively affect one’s ability to trust IoT products and services.

The security concerns noted are: Scalability; Heterogeneity; Ownership and Control; Composability, Interoperability, Integration, and Compatibility; “Ilities”; Synchronization; Measurement; Predictability; Testing and Assurance; Certification; Security; Reliability; Data Integrity; Excessive Data; Performance; Usability; and Visibility and Discovery. All of these concerns are described in more detail in the white paper with suggestions, in some cases, to mitigate those risks.

In the security realm, they note that trust is a concern for all “things” in IoT systems. For example, sensor data may be tampered with, stolen, deleted, dropped, or transmitted insecurely, allowing it to be accessed by unauthorized parties. IoT devices may be counterfeited and default credentials used. Furthermore, unlike traditional personal computers, there are few secure upgrade processes for “things,” such as patches or updates.

The document elaborates on the issue of the usage of default passwords and credentials as an ongoing problem that has plagued the security community for some time. It further points out the weaknesses inherent in the upgrade process in which manufacturers deliver patches and updates for IoT devices that have yet to be mitigated with standard practices.

Finally, the white paper points out the significant differences in trust concerns for an IoT system compared to traditional IT systems, such as much smaller size and limited performance, larger and more diverse networks, minimal or no user interface, lack of consistent access to reliable power and communications, and many others.

The proposed legislation and NIST’s efforts to propose standardized security guidelines for IoT suppliers to the U.S. government is a move in the right direction. The risks in the IoT clearly necessitate new approaches to device planning and design to develop a firm root of trust in these devices. However, it is a movement that needs to be recognized and embraced by the global community as well.

In parallel to this effort, you might be interested in reading the Industrial Internet Consortium's view on the characteristics of Trustworthiness in Industrial IoT systems, in their Introduction into Trustworthiness.

Blog Archiv

September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
October 2016
September 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016