IoT security requires a multi-layer approach to security through vulnerability discovery and threat hunting.

When customers conceptualize and design their IoT products, they should be aware that there are now emerging obligations necessitating the delivery of end-to-end fully secure IoT solutions. Depending on the market and target application space, these may include:

• New regulatory compliance requirements for IoT
  • Cyber Shield Act
  • IoT Improvement Act
  • Executive Order on Improving the Nation’s Cybersecurity MAY 12, 2021
  • U.K. IoT Code of Practice
• Data privacy regulations impacting data handled by IoT devices, networks, infrastructure and applications
  • California Consumer Privacy Act CCPA, SB-327
  • General Data Protection Regulation GDPR, EU law on data protection and privacy in the European Union
  • Health Information Privacy HIPAA
• Industry standards and best practices affecting the design and implementation security requirements
  • NISTIR 8259 Core Cybersecurity Feature Baseline for Securable IoT Devices
  • ETSI Technical Spec TS 103 645 & ENISA European Standard 303 645 – Cyber Security for Consumer Internet of Things
  • NIST SP-800 and NIST SP-1800 publications
  • ISO/IEC 27000 series of information security standards
  • OWASP Embedded Application Security
• Product security certifications
  • ioXt Aliance device certification profiles
  • ARM PSA (Levels 1, 2 & 3)
  • FDA approved medical devices (e.g. DTSec SESIP)
  • FIPS 140-3, through the Cryptographic Module Validation Program (CMVP)
  • UL’s IoT Security Rating
    

This list is merely the tip of the iceberg when it comes to IoT end-to-end security requirements.  In addition to the above, customers also have to address the actual and material cybersecurity threats against their products as evident from the increasing volume, frequency, and severity of security incidents and attacks resulting in compromised devices, stolen/lost data, and disrupted applications and critical systems in many publicized incidents of IoT security breaches.

Given the level of complexity and expertise in security that is required to begin tackling these requirements, how do you get started?

The first step is to perform security assessments and survey the threat landscape to get an increasingly more clear and coherent picture of the risks and vulnerabilities impacting the customer IoT products at every level. Indeed, the first step is to assess and uncover the specific threats using threat modeling and hands-on penetration (pen) testing. The threat assessment and vulnerability testing should ideally be performed not just at the device level but should also include the network layer (e.g., wireless mesh networks, RF protocols, and mobile device connectivity). It should also cover any security and controls that exist in the customer’s cloud, data, and application layer and should also cover privacy issues surrounding machine learning, data management, analytics, and automation. The test should be holistic and specialized to ensure the customer fully understands the scope and details of security requirements they need to address as part of their design, production, and device life-cycle process implementation.