The Cloud Security Alliance (CSA) has released a set of IoT device security guidelines to help developers build stronger security controls into their devices. Many developers struggle to identify controls that can be incorporated into devices and software systems to keep devices and data secure.
Identifying and mitigating security vulnerabilities is a difficult process and many device developers do not know where to start. This is where the IoT device security guidelines will help. The main purpose of the guidelines is to give developers a starting point to work from.
“We hope to empower developers and organisations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products,” said Brian Russell, chair of the CSA IoT Working Group.
The IoT device security guidelines are laid out in the CSA’s latest report – Future-proofing the Connected World. The report covers thirteen steps that can be followed by the designers of IoT products to ‘reasonably secure’ their devices and software systems.
Security is not something that can be bolted on to the product after development. It must be incorporated during the design process. The CSA recommends starting with a secure development methodology and incorporating privacy protections at the beginning of the design process.
Security vulnerabilities are likely to be discovered after products have been released. It is therefore important to incorporate a secure firmware/software update process to ensure that when vulnerabilities are discovered it is a relatively easy process to update the devices to improve security.
To prevent malicious actors from gaining access to the devices it is essential to incorporate authentication controls. Since it is not possible to eliminate the risk of device access by unauthorized individuals, it is important to reduce the potential for harm. The devices should only record the minimum amount of data necessary. Encryption should also be used for data at rest and in motion. Hardware-based security protections should be included along with integrity controls.
While security controls should be applied to the device itself, software systems and companion mobile applications can be a weak point. It is important for associated applications to also be secured along with the gateways through which devices and apps communicate. CSA also recommends that developers implement a secure root of trust for root chains and private keys on the device. Independent security testing is also recommended.
There is considerable pressure on companies to bring their products to market rapidly and implementing security controls is likely to slow down that process. However, as the report points out, “The consequences of a particular IoT product being used to compromise sensitive user information or worse, to cause harm or damage, will be catastrophic to the product vendor.”
