The Cloud Security Alliance, a nonprofit organization that pioneered security benchmarking and certification for cloud computing, has issued technical guidance for designers and developers of Internet of Things devices.
“It is often heard in our industry that securing IoT products and systems is an insurmountable effort,” said Brian Russell, chairman of the alliance’s IoT Working Group in a statement. “However, with the help of our extremely knowledgeable and dedicated volunteers, we are providing a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices, as well as newly emerging IoT startups.”
But a starting point is all they offer.
“Nothing that is connected is completely secure,” the authors acknowledge. “For the purposes of this document, we define a secure IoT device as a device that implements sufficient security measures such that an attacker will move onto another target.”
A series of recent huge distributed denial-of-service attacks using large botnets made up of compromised IoT devices have demonstrated the plethora of targets available for hackers. The devices were easy to break into at scale because they ship with default passwords hardcoded into their firmware.
“We’re in this huge rush to connect right now,” said John Grimm, from Thales e-Security, an encryption vendor. “There are going to be consequences, especially when so many of these devices are built without any thought for security.”
IoT product developers should start with five foundational security engineering practices, the guide states. They should make sure they have a secure means to update firmware and software on the devices; use encryption and authentication procedures in product interfaces and on the mobile applications and gateways that connect with them; and “implement a secure root of trust” for encryption keys on the device.
Oh, and they should get an independent security assessment of their products.
In addition to these recommendations, the guide includes a discussion on IoT device security challenges; the results of a survey about IoT security; a discussion on security options available for IoT development platforms; and a detailed checklist for security engineers to follow during the development process.
Russell, who is also Leidos’ chief engineer for cybersecurity solutions, said the guide aimed “to empower developers and organizations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products.”
Nearly 30 expert CSA members worked on the 80-plus page guidance report, published Friday.