When customers conceptualize and design their IoT products, they should be aware that there are now emerging obligations necessitating the delivery of end-to-end fully secure IoT solutions. Depending on the market and target application space, these may include:
- New regulatory compliance requirements for IoT
- Cyber Shield Act
- IoT Improvement Act
- Executive Order on Improving the Nation’s Cybersecurity MAY 12, 2021
- U.K. IoT Code of Practice
- Data privacy regulations impacting data handled by IoT devices, networks, infrastructure and applications
- California Consumer Privacy Act CCPA, SB-327
- General Data Protection Regulation GDPR, EU law on data protection and privacy in the European Union
- Health Information Privacy HIPAA
- Industry standards and best practices affecting the design and implementation security requirements
- NISTIR 8259 Core Cybersecurity Feature Baseline for Securable IoT Devices
- ETSI Technical Spec TS 103 645 & ENISA European Standard 303 645 – Cyber Security for Consumer Internet of Things
- NIST SP-800 and NIST SP-1800 publications
- ISO/IEC 27000 series of information security standards
- OWASP Embedded Application Security
- Product security certifications
- ioXt Aliance device certification profiles
- ARM PSA (Levels 1, 2 & 3)
- FDA approved medical devices (e.g. DTSec SESIP)
- FIPS 140-3, through the Cryptographic Module Validation Program (CMVP)
- UL’s IoT Security Rating
This list is merely the tip of the iceberg when it comes to IoT end-to-end security requirements. In addition to the above, customers also have to address the actual and material cybersecurity threats against their products as evident from the increasing volume, frequency, and severity of security incidents and attacks resulting in compromised devices, stolen/lost data, and disrupted applications and critical systems in many publicized incidents of IoT security breaches.
Given the level of complexity and expertise in security that is required to begin tackling these requirements, how do you get started?
The first step is to perform security assessments and survey the threat landscape to get an increasingly more clear and coherent picture of the risks and vulnerabilities impacting the customer IoT products at every level. Indeed, the first step is to assess and uncover the specific threats using threat modeling and hands-on penetration (pen) testing. The threat assessment and vulnerability testing should ideally be performed not just at the device level but should also include the network layer (e.g., wireless mesh networks, RF protocols, and mobile device connectivity). It should also cover any security and controls that exist in the customer’s cloud, data, and application layer and should also cover privacy issues surrounding machine learning, data management, analytics, and automation. The test should be holistic and specialized to ensure the customer fully understands the scope and details of security requirements they need to address as part of their design, production, and device life-cycle process implementation.
IBM X-Force Red provides the subject matter experts as well as pen testers that can work with our customers to do exactly what is described above. Starting with a focused threat modeling workshop, they can explore the specific regulatory needs, privacy concerns, standards, and certification requirements. They can also discuss the specific threat models and scenarios the customer should be considering and designing mitigation for. Following this workshop, the customer will be provided a high-level action roadmap that may include additional activities such as specific pen testing on some or all the above areas mentioned. Customers can then work directly with IBM to perform the assessments and get more details. Also, customers can use the outputs of these assessment activities to inform them about the ways in which they should utilize our product security features, Secure Vault, and CPMS as well as other capabilities in IoT security that will be offerred going forward.
Click here to visit our IBM’s Technology Partner Page