Blake

IoT Device Security Standards & Code of Practice for IoT Security

April 12, 2021
iot-device-security-standards-and-code-of-practice-for-iot-security

Concern for the security of connected devices and IoT products is mounting as the Internet of Things continues to grow at a considerable rate. Recent forecasts predict that there will be more than 75 billion IoT devices in use by 2025, almost three times the amount recorded in 2019.

For many reasons, including lack of user knowledge or insufficient manufacturing and retail codes of practice, a lot of IoT devices are vulnerable to cyber attacks that can allow hackers to access, alter or sell consumer data amongst other malevolent practices.

For a full list of IoT device threats, vulnerabilities and solutions, read our IoT Security Guide.

This article discusses the various IoT device security standards and codes of practice currently in use within the industry.

Why are security standards and a code of practice necessary for the Internet of Things?

The more sophisticated connected devices become, the more common they become in our everyday lives, with many of us filling our homes and offices with IoT products that ease processes and make our lives easier., whilst sharing an increasing amount of personal data.

Insufficient IoT security can expose consumers, businesses and government bodies to harmful cyber attacks. Manufacturers are responsible for ensuring that the products they market are as secure as possible at the point of sale, however, there is a natural fluctuation between businesses of which security measures are essential.

Because of this, we cannot assume that every IoT device is secure until we have an established baseline for minimum IoT security standards and a fixed code of practice for consumer IoT security that is regularly updated to reflect new threats as they emerge. 

Without security standards and a code of practice, IoT devices across the globe will continue to operate with inadequate protection against security breaches.

Who should care about IoT security standards and codes of practice?

Everyone in the IoT supply chain has a stake in the security of an IoT device, but more specifically – these audiences need to be especially mindful include:

  • Device Manufacturers: Device manufacturers assemble or provide component utilised in IoT devices.
  • IoT Service Providers: IoT service providers offer network services, cloud storage, and data transfer as part of IoT solutions. Internet of Things devices (also known as internet-connected devices) may be offered as part of the service.
  • Application Developers: App developers develop and provide applications for mobile, tablet, TV and wearable devices. These are often offered as a way of interacting with devices as part of an IoT solution. 
  • Retailers: Retailers are the sellers of internet-connected products and associated services to consumers.

What are the key requirements of IoT security according to experts in the field? 

In 2020, the ETSI Technical Committee on Cybersecurity published its IoT cybersecurity standards and baseline for security in IoT consumer products, identifying the following 13 requirements as essential.

  1. No universal default passwords (passwords must be unique)
  2. Vulnerability reporting facilities and management
  3. Regular software updates (and maintenance)
  4. Secure storage of sensitive security parameters
  5. Secure communication
  6. Minimise exposed attack surfaces
  7. Optimal software integrity
  8. Personal data security
  9. Outage resilience
  10. System telemetry data examination
  11. Simple user data deletion processes
  12. Easy device installation and maintenance
  13. Input data validation

These requirements apply to many different types of connected devices, such as:

  • Connected children’s toys and baby monitors
  • Smart safety products like smoke detectors and door locks
  • Multimedia devices like cameras, TVs and speakers
  • Wearables and fitness trackers
  • Home automation and security devices like alarm systems
  • Home appliances like washing machines and fridges
  • Smart home assistants

IoT Standards Organisation, Trade Associations and Other Industry Groups

Despite the IoT industry’s relative infancy, some IoT standards organisations, trade associations and industry groups have emerged to provide guidance on IoT security standards and recommended codes of practice – these are listed below.

You can visit their websites for more detailed information on how IoT device manufacturers can ensure the products they market to consumers are as safe and secure as possible.

List of IoT Standards Organisations, Trade Associations, and Other Industry Groups:

  • ETSI (European Telecommunications Standards Institute)
  • IoTSF (Internet of Things Security Foundation)
  • GSMA
  • NIST (National Institute of Standards and Technology)
  • IEEE
  • IEC (International Electrotechnical Commission)
  • ENISA

Learn more about these organisations below.

European Telecommunications Standards Institute

ETSI (European Telecommunications Standards Institute) is a European Standards Organisation and is the recognised regional standards body for telecommunications, broadcasting and other electronic communications networks and services. The 900 member strong institute is a world leader in the development and ratification of IT standards in existing and emerging technologies such as the Internet of Things.

Internet of Things Security Foundation

IoTSF (Internet of Things Security Foundation) is a non-profit international organisation that aims to make IoT safer so that its benefits can be fully realised.

GSMA

GSMA promotes the best practice for the secure design, development and deployment of IoT services and facilitates the evaluation of security measures. The organisation represents the global interests of mobile operators, handset and device makers, software companies, equipment providers and internet companies. GSMA has regional sites in the following locations including Asia Pacific, Greater China, Europe, Latin America, Middle East & North Africa, Sub Saharan Africa and North America.

National Institute of Standards and Technology

NIST (National Institute of Standards and Technology) is the official authority on technology standards for the U.S.

IEEE

IEEE is the world’s biggest technical professional organisation dedicated to technology advancements that benefit humanity.

International Electrotechnical Commission

IEC (International Electrotechnical Commission) is an international standards body that releases international standards for all electrical technologies.

ENISA

ENISA is the European Union Agency for Cybersecurity and aims to create a common level of cybersecurity measures for countries across Europe.

What are the current security standards and guidelines available for the IoT? 

At present, there isn’t a globally enforced IoT device security standard or code of practice, however, some regionally operated bodies such as NIST have developed recommended standards and codes of practice that manufacturers can use to improve security practices for their products.

There are also some guidelines designed to span across multiple regions.

The U.K.’s IoT Security Standards

The first voluntary IoT code of practice, the Secure by Design Code of Practice, was established by the U.K. government’s Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC).

Since then, the department has called for feedback on proposals for the regulation of cybersecurity for consumer Internet of Things devices and is in the process of reviewing them currently to develop a world-leading regulatory framework that drives innovation without sacrificing the security of consumers.

It’s been reported that tech leaders HP and Centrica Hive were among the first to agree to implement the Code of Practice.

Though the code is voluntary, companies that do implement it can benefit from GDPR compliance, avoid connection with future data breaches and cyber-attacks and display their commitment to protecting their consumers.

The key components include:

  1. No default passwords: All IoT device passwords shall be unique and not resettable to any universal factory default value.
  2. Implement a vulnerability disclosure policy: All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.
  3. Keep software updated: Software components in internet-connected devices should be securely updateable. Updates shall be timely and should not impact on the functioning of the device. An end-of-life policy shall be published for end-point devices which explicitly states the minimum length of time for which a device will receive software updates and the reasons for the length of the support period. The need for each update should be made clear to consumers and an update should be easy to implement. For constrained devices that cannot physically be updated, the product should be isolatable and replaceable.
  4. Securely store credentials and security-sensitive data: Any credentials shall be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
  5. Communicate securely: Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology and usage. All keys should be managed securely.
  6. Minimise exposed attack surfaces: All devices and services should operate on the ‘principle of least privilege’; unused ports should be closed, hardware should not unnecessarily expose access, services should not be available if they are not used and code should be minimised to the functionality necessary for the service to operate. Software should run with appropriate privileges, taking account of both security and functionality.
  7. Ensure software integrity: Software on IoT devices should be verified using secure boot mechanisms. If an unauthorised change is detected, the device should alert the consumer/administrator to an issue and should not connect to wider networks than those necessary to perform the alerting function.
  8. Ensure that personal data is protected: Where devices and/or services process personal data, they shall do so in accordance with applicable data protection law, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Device manufacturers and IoT service providers shall provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes, for each device and service. This also applies to any third parties that may be involved (including advertisers). Where personal data is processed on the basis of consumers’ consent, this shall be validly and lawfully obtained, with those consumers being given the opportunity to withdraw it at any time.
  9. Make systems resilient to outages: Resilience should be built in to IoT devices and services where required by their usage or by other relying systems, taking into account the possibility of outages of data networks and power. As far as reasonably possible, IoT services should remain operating and locally functional in the case of a loss of network and should recover cleanly in the case of restoration of a loss of power. Devices should be able to return to a network in a sensible state and in an orderly fashion, rather than in a massive scale reconnect.
  10. Monitor system telemetry data: If telemetry data is collected from IoT devices and services, such as usage and measurement data, it should be monitored for security anomalies.
  11. Make it easy for consumers to delete personal data: Devices and services should be configured such that personal data can easily be removed from them when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device. Consumers should be given clear instructions on how to delete their personal data.
  12. Make installation and maintenance of devices easy: Installation and maintenance of IoT devices should employ minimal steps and should follow security best practice on usability. Consumers should also be provided with guidance on how to securely set up their device.
  13. Validate input data: Data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices shall be validated.

The U.S.A.’s IoT Security Standards

In 2020, NIST released four draft publications that address the IoT security issues identified in the IoT Cybersecurity Improvement Act of 2020

The set of four documents offer recommendations for self-certification connected device cybersecurity to both federal agencies and manufacturers.

Europe IoT Standards

ENISA is the European Union Agency for Cybersecurity published a study, Baseline Security Recommendations for IoT, which aimed to act as a basepoint for IoT security measures in Europe.

The study presents a series of seven recommendations that tackle IoT device security standards:

  1. Promote harmonization of IoT security initiatives and regulations
  2. Raise awareness for the need for IoT cybersecurity
  3. Define secure software/hardware development lifecycle guidelines for IoT
  4. Achieve consensus for interoperability across the IoT ecosystem
  5. Foster economic and administrative incentives for IoT security
  6. Establishment of secure IoT product/service lifecycle management
  7. Clarify liability among IoT stakeholders

Location Non-Specific IoT Security Standards

GSMA has published a series of IoT security documents that aim to establish a common understanding of IoT security issues and promote secure IoT service development methodologies.

The GSMA IoT Security Guidelines include an 85 point list of recommendations for the secure design, development and deployment of IoT devices services.

What makes these guidelines different from the others explored in this article is that the set of documents aren’t designed to drive the development of new IoT specifications or standards but refers only to the currently available solutions, standards and best practices.

Because of this, the guidelines will need to be updated periodically to avoid the risk of becoming outdated and inaccurate.

The IoTSF’s IoT Security Framework is a structured process of self-evaluation or self-certification through questioning and evidence gathering for leaders of IoT organisations, developers and manufacturing staff, supply chain managers or trusted third parties.

The key IoT product and service security requirements identified in this framework are:

  • Management governance
  • Engineered for security
  • Fit for purpose cryptography
  • Secure network framework and applications
  • Secure production processes and supply chain
  • Safe and secure for the customer

What IoT security standards are you following?

The fact that each set of security guidelines differs slightly from the next and each targets a different section of the IoT device supply chain only highlights the need for an established, globally adhered to the Internet of Things security framework and code of practice.

We are looking forward to seeing how this transforms as IoT is adopted globally.

Industry Accreditations