Product Security Glossary

IoT Security Standards

What are IoT security standards?

IoT security standards are a set of principles and guidelines to ensure that devices on the Internet of Things run in a secure manner. 

What is the IoT?

The Internet of Things can enable communication between various types of electronic devices and a central gateway, or it can allow the devices to communicate directly with each other.  There’s a wide range of IoT devices that can include surveillance cameras, smart doorbells, industrial controllers, automotive control systems, building management systems, and much more.

Why do we need IoT security standards?

The specific reasons we need IoT security standards can vary, according to the application involved.  For devices in the home, privacy is a big issue.  Smart electric meters, for example, constantly transmit energy usage data back to the power company.  Any unauthorized person who could find a way to monitor these data could build a profile about the homeowner’s life.  This could include appliance usage data, when the homeowner is home, and when the homeowner is away.  Seeing spikes in energy usage during specific times on specific days could even help the intruder deduce the homeowner’s religious beliefs. 

Modern automobiles are controlled by a system of embedded computers, many of which are connected to the IoT.  If these systems are not properly designed and secured, an attacker could possibly connect to a specific auto over the Internet and take control of it. 

Alarm systems in either a home or in a public building could be manipulated by an intruder, in order to facilitate burglaries.  Industrial control systems that run with IoT devices often control critical safety systems.  Allowing someone to tamper with these systems could result in damage or destruction for either the equipment or for personnel. 

Attackers can find unsecured IoT devices by searching through the Internet and join them to an IoT botnet.  The attackers can then use the botnet to help distribute malware or to engage in Denial-of-Service attacks against other victims. 

How can we enhance IoT security?

First, device manufacturers must design devices with best IoT security practices in mind.  Operating systems must be hardened against attack, and devices should be as tamper resistant as possible. IoT security standards can be specific for an industry such as WP.29 for the automotive industry, or general and relevant for all developers such as the UL 2900. In any case, developers should comply with such standards to enhance IoT security and use automated tools to verify that such compliance. Automated tools can also help developers that are not familiar with an IoT security standard to easily understand what security features are needed and how to implement them to comply with a specific standard.  

Device owners and operators need to keep up with security bulletins that might affect their devices.  If a vulnerability is found for their devices, they will need to know how to ensure that the devices get properly updated in order to mitigate the vulnerabilities. 

Network security is also important.  Now that we are entering the brave new world of 5G, which most new devices will soon be using, network engineers need to learn how to set up 5G networks in a secure manner.  Device designers will need to learn how to make their devices communicate securely on a 5G network.  Device manufacturers can obtain basic IoT security guidelines from the U.S. National Institute of Standards and Technology (NIST). 

As you can see, IoT security standards are very important.  It would pay every device manufacturer or operator to learn about them.