Mitigating cyber threats is critical to the launch of a successful IoT product but many devices on the market today have not been designed with cybersecurity in mind, even fewer have had independent testing and evaluations, and standards and regulations can be confusing. This article looks at the considerations that need to be made, applicable standards, testing options and best practices for designing secure IoT products.
Mitigating cyber threats is critical to the launch of a successful product. Like technology itself, the Internet of Things (IoT) security is still in its infancy and is evolving rapidly. The legislation is also developing rapidly, with cybersecurity acts in EU and California creating further regulation. Many devices on the market today have not been designed with cybersecurity in mind, and even fewer have had independent testing and evaluations. These issues, coupled with confusing standards and regulations to comply with, make the product design landscape difficult to navigate.
What should designers and manufacturers consider when developing IoT products? What standards exist to help ensure the safety, security, and performance of these products, and how can they be leveraged? How can a manufacturer mitigate the risks and ensure a secure, successful product?
Designing for Security
Testing and applying security measures after the fact leads to more failures and increased costs as products need to be redesigned or heavily debugged in order to ensure safety measures have been properly integrated. Including experts at the start of the cybersecurity product design process will help navigate the inclusion of intrinsic security in the development process, coding reviews, threat monitoring, and mitigation measures. Additionally, experts can conduct risk assessments, review design, analyze code, and conduct pen tests, gap assessments, compliance assessments, and product certifications.
These approaches lead to safer, more secure IoT products, ensuring privacy remains intact and offering peace of mind. For manufacturers, this means better brand reputation, lower liability risk, easier regulatory approval and ease to market. In addition to design considerations, testing and evaluation offer enhanced assurance. This includes testing to industry standards and another cyber testing.
Applying Standards and Frameworks to IoT Products
There are many different cybersecurity standards and frameworks applicable to IoT products, and the ones that exist vary based on the product type. Selecting a standard will depend on the product, testing objective, and goals. These are just a few that have received notoriety in the past few years:
- ANSI/UL 2900: A family of standards for software security in IoT-oriented products used in the home. It includes requirements for assessing vulnerabilities, software weaknesses, and malware.
- Common Criteria: An international set of guidelines and specifications developed for evaluating information security products for government use. This can be applied to hardware, software, firmware, or a combination.
- ISO/IEC27000: This family of standards provides a structure for implementing an information security management system, safeguarding information assets through confidentiality, integrity, and availability. It requires a mature understanding of security at an organizational level, as well as policy and procedure-based security.
- NIST Cybersecurity Framework: This framework provides voluntary guidance based on existing industry standards, guidelines, and practices, with the goal of helping organizations manage and reduce cybersecurity risks. It must be customized based on risks, situations, and needs.
- The ISA/IEC62443 (formerly ISA-99) scheme: A conformity assessment scheme for an industrial cybersecurity program that evaluates security capabilities and ensures these capabilities have been applied to either a specific product or solution.
Testing and Evaluations
Testing with an iterative process throughout product development is important. When possible, test for cybersecurity early and often to mitigate risks along the way. This may include testing for software weaknesses, potential backdoors, interoperability concerns, functionality and performance, code analysis, and other evaluations, like penetration testing, vulnerability assessments, privacy impact evaluations, and threat risk assessments. Final product assessments should also be completed to any industry standards, with applicable certifications applied to a finished product.
Creating an IoT device can be a daunting task in a world where technology continues to evolve at a rapid pace. By keeping security in mind during the product development phase, and by following the existing guidance, standards, and best practices, manufacturers can take steps to ensure the safety, performance, and security of their devices.