There isn’t a day that goes by now without another Internet of Things (IoT) security story. The details are lurid, the attacks look new and the tech is well, woeful. You would be forgiven for thinking that nobody is doing anything about security and that nothing can be done, it’s all broken.
What doesn’t usually reach the press is what has been happening in the background from a defensive security perspective. Some industries have been doing security increasingly well for a long time. The mobile industry has been under constant attack since the late 1990s. As mobile technology and its uses have advanced, so has the necessity of security invention and innovation. Some really useful techniques and methods have been developed which could and should be transferred into the IoT world to help defend against known and future attacks. My own company is running an Introduction to IoT Security training course for those of you who are interested. There is of course a lot of crossover between mobile and the rest of IoT. Much of the world’s IoT communications will transit mobile networks and many mobile applications and devices will interact with IoT networks, end-point devices and hubs. The devices themselves often have chips designed by the same companies and software which is often very similar.
The Internet of Things is developing at an incredible rate and there are many competing proprietary standards in different elements of systems and in different industries. It is extremely unlikely there is going to be one winner or one unified standard – and why should there be? It is perfectly possible for connected devices to communicate using the network and equipment that is right for that solution. It is true that as the market settles down some solutions will fall by the wayside and others will consolidate, but we’re really not at that stage yet and won’t be for some time. Quite honestly, many industries are still trying to work out what is actually meant by the Internet of Things and whether it is going to be beneficial to them or not.
What does good look like?
What we do know is what we don’t want. We have many lessons from near computing history that we ignore and neglect security at our peril. The combined efforts and experiences of technology companies that spend time defending their product security, as well as those of the security research community, so often painted as the bad guys; “the hackers” have also significantly informed what good looks like. It is down to implementers to actually listen to this advice and make sure they follow it.
We know that opening the door to reports about vulnerabilities in technology products leads to fixes which bring about overall industry improvements in security. Respect on both sides has been gained through the use of Coordinated Vulnerability Disclosure (CVD) schemes by companies and now even across whole industries.
We know that regular software updates, whilst a pain to establish and maintain are one of the best preventative and protective measures we can take against attackers, shutting the door on potential avenues for exploitation whilst closing down the window of exposure time to a point where it is worthless for an attacker to even begin the research process of creating an attack.
Industry-driven recommendations and standards on IoT security have begun to emerge in the past five years. Not only that, the various bodies are interacting with one another and acting pragmatically; where a standard exists there appears to be a willingness to endorse it and move onto areas that need fixing.
Spanning the verticals
There is a huge challenge which is particularly unique to IoT and that is the diversity of uses for the various technologies and the huge number of disparate industries they span. The car industry has its own standards bodies and has to carefully consider safety aspects, as does the healthcare industry. These industries and also the government regulatory bodies related to them all differ in their own ways. One unifying topic is security and it is now so critically important that we get it right across all industries. With every person in the world connected, the alternative of sitting back and hoping for the best is to risk the future of humanity.
Links to recommendations on IoT security
To pick some highlights – (full disclosure – I’m involved in the first two) the following bodies have created some excellent recommendations around IoT security and continue to do so:
• IoT Security Foundation Best Practice Guidelines
• GSMA IoT Security Guidelines
• Industrial Internet Consortium
The whole space is absolutely huge, but I should also mention the incredible work of the IETF (Internet Engineering Task Force) and 3GPP (the mobile standards body for 5G) to bring detailed bit-level standards to reality and ensure they are secure. Organisations like the NTIA (the US National Telecommunications and Information Administration), the DHS (US Department for Homeland Security) and AIOTI (The EU Alliance for Internet of Things Innovation) have all been doing a great job helping to drive leadership on different elements of th
I maintain a list of IoT security resources and recommendations on this post.
This is a list of useful documentation and links for anyone interested in IoT security, either for building products or as general reference material. The list is alphabetical and doesn’t denote any priority. I’ll maintain this and update it as new documentation gets published. Please feel free to add links in the comments and I will add them to the list.
- [GDPR] Article 29 Data Protection Working Party – Opinion 8/2014 on the on Recent Developments on the Internet of Things: http://www.dataprotection.ro/servlet/ViewDocument?id=1088
- Alliance for Internet of Things Innovation (AIOTI) (includes security recommendations): https://aioti.eu/wp-content/uploads/2017/03/AIOTI-Digitisation-of-Ind-policy-doc-Nov-2016.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Report on Workshop on Security and Privacy in the Hyper-Connected World: https://aioti-space.org/wp-content/uploads/2017/03/AIOTI-Workshop-on-Security-and-Privacy-in-the-Hyper-connected-World-Report-20160616_vFinal.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Internet of Things Applications: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG01Report2015-Applications.pdf
- Alliance for Internet of Things Innovation (AIOTI) – High Level Architecture (HLA; Release 3.0): https://aioti.eu/wp-content/uploads/2017/06/AIOTI-HLA-R3-June-2017.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Report: Working Group 4 – Policy: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG04Report2015-Policy-Issues.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Smart Living Environment for Ageing Well: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG05Report2015-Living-Environment-for-Ageing-Well.pdf
- AT&T – The CEO’s Guide to Securing the Internet of Things: https://www.business.att.com/cybersecurity/docs/exploringiotsecurity.pdf
- Atlantic Council Scowcroft Center for Strategy and Security – Smart Homes and the Internet of Things (issue brief): http://www.atlanticcouncil.org/images/publications/Smart_Homes_0317_web.pdf
- Automotive Information Sharing and Analysis Centre (Auto ISAC) – Automotive Cybersecurity Best Practices: https://www.automotiveisac.com/best-practices/
- BITAG: https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf
- CableLabs – A Vision for Secure IoT: https://www.cablelabs.com/insights/vision-secure-iot/
- Cloud Security Alliance – Future-proofing the connected world: 13 steps to Developing Secure IoT Products: https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
- Cloud Security Alliance (CSA) – Security Guidance for Early Adopters of the Internet of Things (IoT): https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
- Dutch Cyber Security Council – European Foresight Cybersecurity Meeting: Public Private Academic Recommendations to the European Commission About Internet of Things And Harmonization of Duties of Care: https://www.cybersecurityraad.nl/binaries/Report%20European%20Foresight%20Cyber%20Security%202016_tcm107-263227.pdf
- Department of Homeland Security – Strategic Principles for Securing the Internet of Things: https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
- European Union Agency for Network and Information Security (ENISA) – ENISA Workshop on Cyber security for IoT in Smart Home Environments: https://www.ENISA.europa.eu/events/copy_of_ENISA-workshop-on-cyber-security-for-iot-in-smart-home-environments/2-ENISA-iot-validation-workshop/at_download/file
- European Union Agency for Network and Information Security (ENISA) – Baseline Security Recommendations for Internet of Things: https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport
- European Union Agency for Network and Information Security (ENISA) – Security and Resilience of Smart Home Environments: https://www.ENISA.europa.eu/publications/security-resilience-good-practices
- European Commission and AIOTI – Report on Workshop on Security & Privacy in IoT: http://ec.europa.eu/information_society/newsroom/image/document/2017-15/final_report_20170113_v0_1_clean_778231E0-BC8E-B21F-18089F746A650D4D_44113.pdf
- GSMA IoT Security Guidelines: https://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
- GSMA IoT security checklist for self-assessment: https://www.gsma.com/iot/iot-security-assessment/
- Internet Engineering Task Force (IETF): https://www.ietfjournal.org/internet-of-things-standards-and-guidance-from-the-ietf/
- Internet Engineering Task Force (IETF) – Best Current Practices (BCP) for IoT Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
- I am the Cavalry – Five Star Automotive Cyber Safety Framework: https://www.iamthecavalry.org/wp-content/uploads/2014/08/Five-Star-Automotive-Cyber-Safety-February-2015.pdf
- I am the Cavalry – Hippocratic Oath for Connected Medical Devices: https://www.iamthecavalry.org/wp-content/uploads/2016/01/I-Am-The-Cavalry-Hippocratic-Oath-for-Connected-Medical-Devices.pdf
- IEEE – IoT Security Principles and Best Practices: https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_feb2017.pdf
- IERC European Research Cluster on the Internet of Things – IoT Governance, Privacy and Security Issues – IERC Position Paper: http://www.internet-of-things-research.eu/pdf/IERC_Position_Paper_IoT_Governance_Privacy_Security_Final.pdf
- IIC Industrial Internet Security Framework: https://www.iiconsortium.org/IISF.htm
- Intel – Policy Framework for the Internet of Things (IoT): https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/policy-iot-framework.pdf
- International Electrotechnical Commission (IEC) – IoT 2020: Smart and secure IoT platform: http://www.iec.ch/whitepaper/pdf/iecWP-loT2020-LR.pdf
- Internet Engineering Task Force (IETF) – Best Current Practices for Securing Internet of Things (IoT) Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
- Internet Engineering Task Force (IETF) – CBOR Object Signing and Encryption (COSE): https://tools.ietf.org/pdf/draft-ietf-cose-msg-24.pdf
- Internet Engineering Task Force (IETF) – RFC 2904: AAA Authorization Framework: https://tools.ietf.org/rfc/rfc2904.txt
- Internet Engineering Task Force (IETF) – RFC 3552: Guidelines for Writing RFC Text on Security Considerations: https://tools.ietf.org/html/rfc3552
- Internet Engineering Task Force (IETF) – Object Security of CoAP (OSCOAP) July 2017. Internet-Draft: https://tools.ietf.org/pdf/draft-ietf-core-object-security-04.pdf
- Internet Engineering Task Force (IETF) – RFC7519: JSON Web Token (JWT): https://tools.ietf.org/html/rfc7519
- Internet Research Task Force (IRTF) Thing-to-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-seccons/
- Internet Society (ISOC) – The Internet of Things: An Internet Society Public Policy Briefing: https://www.internetsociety.org/wp-content/uploads/2017/09/ISOC-PolicyBrief-IoT.pdf
- IoT Alliance Australia – Internet of Things Security Guideline (v1.2): https://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Security-Guideline-V1.2.pdf
- IoT Security Foundation – Connected Consumer Secure Design Best Practice Guidelines: https://www.iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Whitepaper: Establishing Principles for IoT Security: https://iotsecurityfoundation.org/wp-content/uploads/2015/09/IoTSF-Establishing-Principles-for-IoT-Security-Download.pdf
- IoT Security Foundation – IoT Security Compliance Framework: https://iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Connected Consumer Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Vulnerability Disclosure Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Best Practice User Mark: https://iotsecurityfoundation.org/best-practice-user-mark/
- IoT Security Foundation – IoT security training: https://iotsecurityfoundation.org/iot-security-training
- IoT Security Initiative: https://www.iotsi.org
- ISO/IEC JTC 1 – Smart Cities. Preliminary Report 2014: https://www.iso.org/files/live/sites/isoorg/files/developing_standards/docs/en/smart_cities_report-jtc1.pdf
- Internet Research Task Force (IRTF) – Thing-2-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-15
- Microsoft – Internet of Things security architecture (STRIDE threat model for IoT): https://docs.microsoft.com/en-us/azure/iot-suite/iot-security-architecture
- Microsoft- IoT Security Best Practices: https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
- MIT Laboratory for Computer Science – Dos and Don’ts of Client Authentication on the Web: http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
- New York City – Guidelines for the Internet of Things (security): https://iot.cityofnewyork.us/security/
- NIST Lightweight Project: www.nist.gov/sites/default/files/documents/2016/10/17/sonmez-turan-presentation-lwc2016.pdf
- NIST Systems Security Engineering – 800.160: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
- Draft NIST Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT): https://www.nist.gov/news-events/news/2018/02/draft-nist-interagency-report-nistir-8200-interagency-report-status
- US National Telecommunications and Information Administration (NTIA) – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/files/ntia/publications/ntia_iot_capabilities_oct31.pdf
- NTIA – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
- Object Management Group (OMG) Cloud Standards Customer Council (CSCC) – Cloud Customer Architecture for IoT: https://www.omg.org/cloud/deliverables/CSCC-Cloud-Customer-Architecture-for-IoT.pdf
- OECD – Digital Security Risk Management for Economic and Social Prosperity: OECD Recommendation and Companion Document: https://read.oecd-ilibrary.org/science-and-technology/digital-security-risk-management-for-economic-and-social-prosperity_9789264245471-en#page58
- OECD – OECD Council Recommendation on Principles for Internet Policy Making: https://www.oecd.org/internet/ieconomy/49258588.pdf
- Ofcom – Review of latest developments in the Internet of Things: https://www.ofcom.org.uk/__data/assets/pdf_file/0007/102004/Review-of-latest-developments-in-the-Internet-of-Things.pdf
- Online Trust Alliance – IoT Security & Privacy Trust Framework (v2.5): https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework6-22.pdf
- OneM2M – Security (Technical Report): https://www.onem2m.org/images/files/deliverables/Release2A/TR-0008-Security-v_2_0_1.pdf
- OneM2M – Security Solutions (Technical Specification): https://www.onem2m.org/images/files/deliverables/Release2A/TS-0003-Security_Solutions-v_2_12_1-.pdf
- Open Web Application Security Project (OWASP) – OWASP Secure Coding Practices Quick Reference Guide: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
- OWASP – IoT Security Guidance: https://www.owasp.org/index.php/IoT_Security_Guidance
- Smart Card Alliance – Embedded Hardware Security for IoT Applications: https://www.securetechalliance.org/wp-content/uploads/Embedded-HW-Security-for-IoT-WP-FINAL-December-2016.pdf
- Software and Information Industry Association (SIIA) – Empowering the Internet of Things: Benefits: http://www.siia.net/Portals/0/pdf/Policy/Reports/Empowering%20the%20Internet%20of%20Things.pdf
- Software Assurance Forum for Excellence in Code (SAFECode) – Fundamental Practices for Secure Software Development: http://safecode.org/wp-content/uploads/2014/09/SAFECode_Dev_Practices0211.pdf
- Software Assurance Forum for Excellence in Code (SAFECode) – Call it the Internet of Connected Things: The IoT Security Conundrum: https://safecode.org/call-it-the-internet-of-connected-things-the-iot-security-conundrum/
- Symantec – An Internet of Things Security Reference Architecture: https://www.symantec.com/content/dam/symantec/docs/white-papers/iot-security-reference-architecture-en.pdf
- Telecommunications Industry Association (TIA) – Realizing the Potential of the Internet of Things: Recommendations to Policy Makers: https://www.tiaonline.org/wp-content/uploads/2018/05/Realizing_the_Potential_of_the_Internet_of_Things_-_Recommendations_to_Policymakers.pdf
- UK government Walport report: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/409774/14-1230-internet-of-things-review.pdf
- U.S. Department of Homeland Security – Strategic Principles for Securing The Internet of Things (IoT): https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
- US Senate – S.1691 – Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (Bill): https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt
- W3C Web of Things: https://www.w3.org/WoT/ (not yet published specific security material)
- GSMA Building Trust and Respecting Privacy in the ‘Internet of Things’: https://www.gsma.com/connectedliving/iot-knowledgebase/introduction-iot-privacy-building-trust-iot/
- GSMA’s IoT Privacy by Design Decision Tree: https://www.gsma.com/connectedliving/wp-content/uploads/2016/09/IoT-%E2%80%98Privacy-By-Design%E2%80%99-decision-tree.pdf
- New York City – Guidelines for the Internet of Things (privacy and transparency): https://iot.cityofnewyork.us/privacy-and-transparency/
- Nominet – Privacy Guidelines for IoT – What you need to know: https://www.nominet.uk/researchblog/privacy-guidelines-iot-need-know-infographic/
- OLSWANG – Privacy and Security in the Internet of Things Challenge or Opportunity: https://www.olswang.com/media/48315339/privacy_and_security_in_the_iot.pdf
Additional papers and analysis of interest:
- Think Tank at the intersection of technology and security – Internet of Insecure Things: https://www.stiftung-nv.de/en/node/2119
- NCC – Security of Things: An Implementers Guide to Cyber Security for Internet of Things devices and beyond: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/april/security-of-things-an-implementers-guide-to-cyber-security-for-internet-of-things-devices-and-beyond/
With special thanks to Mike Horton, Mohit Sethi, Ryan Ng and those others who have contributed or have been collecting these links on other sites, including Bruce Schneier and Marin Ivezic.
24th November 2016: Added GSMA self-assessment checklist, Cloud Security Alliance research paper, Symantec paper and AT&T CEO’s guide.