News Feature | October 11, 2016

Guidance Report To Secure IoT Product Ecosystem Released

Christine Kern

By Christine Kern, contributing writer

6 IoT Predictions For 2015

Report provides actionable and useful guidance to help boost overall security of IoT products.

Cloud Security Alliance IoT Working Group has released a detailed and hefty guidance report, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products, created to help designers and developers of Internet of Things (IoT) related products and services understand basic security measures that must be incorporated throughout the development process.

In April 2015, the CSA IoT Working Group provided systems-level security guidance in Security Guidance for Early Adopters of the IoT, but the new report acknowledges an IoT system is only as secure as its weakest link. The report states, “This document is our attempt at providing actionable and useful guidance for security of the individual products that make up an IoT system — to raise the overall security posture of IoT products.”

And while many in the industry perceive IoT product and system security as an insurmountable effort, the CSA IoT Working Group writes, “With the help of volunteers like those in our CSA IoT Working Group, we can at least attempt to provide a helping hand to product developers that know their products are at risk of compromise but don’t know where to start the process for mitigating that risk.”

“It is often heard in our industry that securing IoT products and systems is an insurmountable effort,” said Brian Russell, Chair IoT Working Group and Chief Engineer, Cyber Security Solutions with Leidos. “However, with the help of our extremely knowledgeable and dedicated volunteers, we are providing a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices, as well as newly emerging IoT startups. We hope to empower developers and organizations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products.”

The 80+ page report presents 13 considerations and guidance for designing and developing secure IoT devices in order to mitigate some of the more common issues associated with IoT device development. The report also outlines the top five security considerations that can help increase significantly an IoT product’s security posture.

According to the report, “IoT product developers should start with the following security engineering practices:

  1. Design and implement a secure firmware/software update process
  2. Secure product interfaces with authentication, integrity protections and encryption
  3. Obtain an independent security assessment of your IoT products
  4. Secure the companion mobile applications and/or gateways that connect with your IoT products
  5. Implement a secure root of trust for root chains and private keys on the device.”

The report also highlights results of a security survey conducted by the CSA IoT Working Group which found startups don’t consider information stored on a device as sensitive; rely heavily on the use of COTS services, and most are using AES, although most also consider encryption unimportant. Other findings include: users want to share information; most devices don’t share a master key across devices; there is no security applied to the development environment; there is no threat modeling of products; there are no secure firmware updates; and investors are focused on functionality, not security.

The CSA IoT Working Group, led by Brian Russell, Priya Kuber, Dr. Shyam Sundaram, Aaron Guzman, Arlene Mordeno, and Sabri Khemissa, is charged with understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations.