With the added complexity and great numbers of IoT devices, also drive the critical need for a common language or “framework” for all of these devices to communicate securely in our internet-connected world.
The global network of Internet of Things (IoT) is estimated in the billions and has greatly enhanced consumer’s lives and productivity. We can now use our smart phones to control everything from thermostats, home appliances, lighting to home security systems, just to name a few.
In this article, we highlight some key points from a recent Cloud Security Alliance (CSA) IoT Working Group report, “Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products,” to include guidance on how to establish a framework, platform and privacy protections to enhance security of IoT products.
You can also read more in our previous article “Cyber Attacks Drive Need for IoT Security Standards,” that emphasizes some key CSA best practices for secure development and integration of IoT.
This is the second article in a five part series that emphasizes IoT security and best practices many businesses can use to improve their security program as well.
Identify framework security features
CSA outlines integration frameworks that organizations can use for IoT development efforts and to make sure IoT devices can integrate and operate as a “single ecosystem” (even if devices are manufactured from different vendors).
Some of the criteria used when selecting a framework include device on-boarding, configuration management, asset management, IoT device discovery, secure connectors (such as TLS and DTLS), strong cryptography and cloud gateways (used to link local network and support global operations).
Some of the frameworks mentioned in the guidelines, along with mapping to criteria, include AllJoyn, HomeKit, IoTivity, ThingWorx, Xively and Oracle Java Embedded.
Evaluate IoT platform security features
Finally, IoT developers should understand the security features of IoT products that include software (e.g., crypto, apps, 3rd party and protocol libraries, app sandboxes, process isolation) and hardware (e.g., security chip, sensors, memory protection, etc.).
Also, use secured operating systems, such as Real Time Operating System (RTOS) that includes a secured-boot OS with strict access controls, and high security microkernels to name a few.
For safety critical RTOS, there are industry certifications such as IEC 61508 (ICS) and ISO 62304 (medical device software).
The CSA guide also provides a table of OS suitable for IoT devices such as TinyOS, LynxOS, Windows 10 IoT and many others.
Establish data privacy protections
The FTC issued a report on IoT with concrete steps organizations can take to protect consumers’ privacy and security. Just a few include building security into devices at the onset (not just as an afterthought), train employees on security, establish a “defense-in-depth” strategy and provide security patches to name a few.
A few key points from the CSA guidelines to enhance privacy safeguards:
- Design IoT solutions to collect only the minimum amount of data necessary
- Evaluate and ensure device use cases meet compliance mandates, such as EU Data Protection Directive (for devices sold in EU), EU-US Privacy Shield or HIPAA (for health devices in US).
- Understand opt-in requirements
- Implement Tech Privacy protections, such as bluetooth (no public discovered MAC addresses; use BLE privacy) and rotate certificates just to name a few.
For more on IoT security, stay tuned for the next part 3 (in our 5-part series): “Hardware-based Security Controls for IoT.”