On December 6, 2016, the IoT “Internet of Things” Security Foundation announced a new Security Compliance Framework. Below is an intro to IoT and an executive summary of how the Framework will impact information security teams.
What Is The Internet of Things?
Generally speaking, the Internet of Things (“IoT”) applies to objects with internet capabilities whether they be smartphones, tablets, or smart house systems like Hue. However, as Jose Tabuena at Compliance Week notes, “the definition of the IoT has evolved over time. TechTarget describes IoT as “a scenario in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.” Forbes provides a nice simple description of the concept as one of “connecting any device with an on and off switch to the Internet (and/or to each other).” These devices which are used for work, school, and entertainment provide enormous connectivity capacities. However, that is precisely what makes them a security risk.
Slow down you move too fast…
IoT risks are enhanced by speed of implementation and lack of consumer knowledge. The subcommittee of Commerce, Manufacturing and Trade and the subcommittee Communications and Technology held a hearing on November 16, 2016 to discuss these risks. The hearing started by discussing the October denial-of-service attack which was caused by “weaponizing unsecured network connected devices like cameras and DVRs. Once these devices were under the control of bad actors, they were used to send a flood of DoS requests that ultimately rendered the DoS servers ineffective.” Estimates indicate the existence of 3.4 billion connected devices as potential entry points for 2017 alone. With connected medical devices and connected, self-driving cars increasingly being manufactured or researched, this means that protecting the increasing number of entry points will only get more cumbersome.
Who Is the IoT Security Foundation?
To the extent that a business offers cloud services that are connectible using wireless networks, this push to ensure greater safety will be important. The Internet of Things Security Foundation is a “collaborative, non-profit, international response to the complex challenges posed by security in the expansive hyper-connected world.” In short, IoTSF acts as a self-regulating body to help enhance information security for IoT while still allowing for innovation. As such, the standards it set up could be viewed similarly to those by the International Standards Organization. The importance of IoTSF lies in its ability to have security professionals who work in various areas of InfoSec to help innovators and customers continue to create devices in ways that keep them safe.
What Do the IoT Frameworks Look Like?
IoTSF is not the only one submitting a framework. CISCO has also proposed an IoT framework. Both take a different approach in the information provided publicly. IoTSF provides a checklist to help get companies started. CISCO focuses more on giving definitions and information to help understand the security issues surrounding IoT. Putting the two together can help create the basis of an effective program.
The IoTSF checklist creates a risk-based approach that looks similar to other compliance programs. This risk assessment involves looking at the products as well as the business practices currently in place. The proposed framework lists 12 areas to be reviewed:
Business Security Processes and Responsibility
Device Hardware & Physical Security
Device Operating System
Device Wired and Wireless Interfaces
Authentication and Authorization
Encryption and Key Management for Hardware
Web User Interface
Cloud and Network Elements
Secure Supply Chain and Production
For each of these areas, the framework provides questions and gives a place to link to evidence. For companies trying to stay ahead of the compliance curve, beginning the process of reviewing IoT security may make 2017 easier.
With the growing number of IoT devices, there is a need for business, manufacturers, and customers to work together to keep information, software, and hardware safe. Ultimately, however, it will be industry experts who guide these standards because they can triage the important concerns. Your business would be well placed to begin reviewing its IoT related risk to determine the best way to implement the Security Compliance framework.