The term Internet of Things (IoT) describes a network of technologies and services where various devices are interconnected and exchange data. These devices can be anything from wearable fitness trackers, smart televisions, and wireless infusion pumps to cars and many others. These internet-connected devices gather, process, and transmit a vast amount of data, including personal information, proprietary data, and infrastructure data that can be used for critical decisions or to bring about physical changes.
From connected devices to connected places
IoT is closely connected to cyber-physical systems and helps improve the quality of service of smart infrastructures. Smart infrastructure offers numerous advantages by bringing severe cost savings and efficiencies to various scenarios – from Industry 4.0 and smart manufacturing to eHealth and smart homes to traffic management and public transportation services.
According to NCSC, IoT-connected devices are the backbone of connected places. "A connected place," says NCSC, "can be described as a community that integrates information and communication technologies and IoT devices to collect and analyze data to deliver new services to the built environment and enhance the quality of living for citizens."
A connected place will utilize a range of sensors, networks, and applications to gather data and enhance its operation, covering areas such as transportation, buildings, utilities, environment, infrastructure, and public services.
The IoT security challenge
With the emergence of new applications, the IoT has introduced new security concerns. The operations and services supported by these systems involve the movement, processing, and storage of sensitive information and the control of crucial operational technology. As a result, these systems have become an appealing target for various malicious actors.
As the technology supporting connected initiatives evolves, more applications are identified in the consumer and industrial settings, and more moving parts are added to the ecosystem, risks will only increase. These security considerations are amplified by the nature of the IoT devices with constrained power and processing and limited ability to manage, update, and patch devices at scale.
If connected systems are breached, the consequences could affect the security of local communities and national economies. Impacts could range from privacy breaches to critical functions disruption or failure. This could mean destructive effects, which sometimes could endanger people's lives. There could also be impacts on the entities that are attacked. These could include a loss of reputation or the financial implications of dealing with the aftermath of an attack.
To help IoT producers and consumers tackle the IoT security challenges, various national and international organizations around the world have developed security frameworks. These frameworks share a common goal; how to produce secure IoT devices and safeguard people, industries, and local communities using these technologies.
Let's tour the world using these frameworks as our guide.
United States: NIST Cybersecurity for IoT Program
NIST's approach to IoT cybersecurity follows five principles:
- No one-size-fits-all: Allow for diversity of approaches and solutions across industries, verticals, and use cases.
- Ecosystem of Things: No device exists in a vacuum, so look at the entire ecosystem, not just the IoT endpoints.
- Outcome-based Approach: Specify your desired outcomes and enable both providers and customers to select the optimal solutions for their devices and settings.
- Risk-based Understanding: Focus on how IoT characteristics affect system and organizational cybersecurity risk.
- Stakeholder Engagement: Collaborate with diverse stakeholders regarding tools, guidance, standards, and resources.
In line with these principles, NIST has developed three series of publications:
- The NISTIR 8259 series of reports guides manufacturers and their supporting third parties as they conceive, design, develop, test, sell, and support IoT devices across their spectrum of customers.
- The NIST SP 800-213 series addresses the requirements of federal agencies that deploy IoT devices within their environments. The IoT Cybersecurity Act of 2020 required NIST to guide federal agencies on "the appropriate use and management by agencies of [IoT] devices" connected to information systems.
- In response to Executive Order 14028 and following extensive consultation from respective stakeholders, NIST published NIST IR 8425, which provides recommendations for cybersecurity features in consumer IoT products.
The Australian Cyber Security Centre (ACSC) has produced this guidance for manufacturers to help them implement thirteen secure-by-design principles. The guidance focuses on devices, not their associated backend servers, where specific security guidance applies. The thirteen principles include best practices like:
- No duplicated default or weak passwords
- Implement a vulnerability disclosure policy
- Securely store credentials
- Ensure the protection of personal data
- Minimize the exposed attack surface
- Ensure communication security
- Ensure software security and integrity
- Develop systems resilient to outages
Egypt: IoT Cyber Security Framework
The Egyptian National Telecom Regulatory Authority (NTRA) published the IoT security guidelines framework, including best practices and guidance applicable and effective in Egypt. The framework aims to help IoT service providers secure their products and services by following a set of processes to mitigate the most known attacks and vulnerabilities. The goal is to make consumers and organizations benefit from their IoT devices and services securely, safely, and privately.
The framework applies to consumer and critical infrastructure IoT and follows a three-step security assurance process:
- Perform risk assessment per identified use case to prioritize risks.
- Define high-level security controls per assurance level.
- Assess conformity and compliance with defined security requirements.
United Kingdom: Connected Places Cyber Security Principles
The NCSC developed guidelines focus on three principles to design, build, and operate a secure connected place.
- Understand your connected place. Develop understanding and context for your connected place, including the risks and potential impacts in case of a breach, governance and skills required, supply chain role, and regulatory requirements.
- Design your connected place. Having developed an understanding and context for your connected place, the priority should now be to make compromise difficult for any attacker. This principle describes secure-by-design steps, including system architecture, data protection, resilience, and scalability.
- Manage your connected place. Having followed the connected place design principles to make compromise difficult for any attacker, the priority should now be to manage your connected place's privileged accesses and supply chain throughout its life cycle. This will include managing incidents and planning your response and recovery.
NISA develops guidance to secure IoT and smart infrastructures from cyber threats by highlighting good security practices and proposing recommendations to operators, manufacturers, and decision-makers. ENISA's recommendations span different facets of the IoT ecosystem, including devices, software development lifecycles, networks, etc. In addition to the publications, ENISA has developed a tool that provides an aggregated view of the ENISA Good Practices for IoT and Smart Infrastructure published in the last few years.
Navigating through the evolving IoT landscape may sound challenging. Still, it is a necessity if we want to secure innovation, effectiveness, and efficiency at home, in our communities and cities, and critical infrastructure. The common denominator of all security frameworks is developing and maintaining an understanding of what you are trying to secure. And this is where we need to focus first: visibility.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.