The Internet of Things (IoT) comprises a myriad of systems that include hardware and software from multiple vendors. There are literally billions of parts connected by ubiquitous and heterogeneous networks. It is hard to imagine a specific standard for IoT security considering the sheer diversity of IoT applications.
However, organizations as well as standards bodies, such as the Internet Engineering Taskforce (IETF), Institute of Electrical and Electronics Engineers (IEEE) and the National Institute of Standards and Technology (NIST), are coming together to discuss and create guidelines for IoT security. Local and national governments also are making efforts.
Despite this progress, setting up a standard framework for IoT security is daunting. While some aspects of IoT security can be more easily standardized, it likely won’t apply to the full spectrum of products, devices, and services and the interconnections between them.
IoT Security Standards for Enterprises and Vendors: What You Can Do Today
We believe the best practice for secure IoT is to implement a supply chain risk management program (SCRM) as well as adhere to a company-wide software development life cycle (SDLC) process. Below are additional tips we recommend:
· Technology decisions need to include not just functionality, but also security and privacy.
· Create and implement a SCRM that includes defined IoT security and privacy policies.
· Institute a process for risk analysis and an accompanying comprehensive security risk management program.
· Vet prospective IoT device makers, and the organizations that provide services for IoT devices.
· Execute/develop/create a company-wide SDLC process and include it as a part of the product conversation.
· Implement a robust quality assurance program that includes security prior to the product entering general availability and during its entire life cycle
· Resist succumbing to competitive pressures to release products that aren’t market-ready.
· Commit to product updates and fixes for eventual issues that may arise through previously unknown vulnerabilities and exploits
· Subject your product/device/service to credible third-party testing
Let’s face it, IoT is bringing to bear issues in cybersecurity that were not imagined several years ago – from the increasing types of connectivity, including Ethernet, WiFi and Bluetooth, to the growing complexity of so many components connected to the internet. Device manufacturers need to care for privacy and security above and beyond the functionality of the device. When done from the onset, this can lead to a competitive advantage.
The stark reality is that cyber threats are increasing in frequency and it can be a costly undertaking if an organization is breached. We should continue to strive to have an industry standard for security in IoT as doing so will make the industry safer for enterprises and vendors, but most importantly for consumers.
George Japak is managing director of ICSA Labs, an ISO 9001 and ISO/IEC 17025 accredited testing and certification lab and an independent division of Verizon.