An in-depth security guidance report aimed at Internet of Things developers has been released by the Cloud Security Alliance.
Titled Future-proofing the Connected World: 13 steps to developing secure IoT products, the report offers practical and technical guidance to devs trying to secure networks of IoT devices.
“An IoT system is only as secure as its weakest link,” wrote Brian Russell, chair of the CSA’s IoT working group. “This document is our attempt at providing actionable and useful guidance for securing the individual products that make up an IoT system.”
Split into comprehensive sections, the guide covers: the need for IoT security; why dev organisations should care about securing IoT networks; device security challenges; and includes detailed guidance for secure IoT development, including everything from tips on implementing a secure dev environment to designing in hardware security controls and securing your firmware updates. A “detailed checklist for security engineers to follow during the development process” is also included.
“The CSA looks to provide much needed education and direction to product developers who know their products are at risk of compromise, but may lack the understanding as to where to start the process for mitigating that risk,” said the organisation in a canned quote.
As a sample of what’s on offer, the guide has this to say about the use of cryptographic modules:
The National Institute of Standards and Technology (NIST) provides valuable documentation and tools for secure cryptographic modules. The Federal Information Processing Standard (FIPS) 140-2 should be followed whenever implementing cryptographic protections within an IoT device. IoT developers can procure FIPS 140-2 validated modules or create their own to be certified modules. The FIPS 140-2 Security Requirements for Cryptographic Modules document provides a valuable summary of the requirements that span the most lenient (Level 1) to the most stringent (Level 4) design requirements for cryptographic modules.
It also includes a brief and lucid guide to classifying IoT devices, given the excessively broad meaning of the term Internet of Things.
Professor William Webb, CEO of IoT connectivity talking-shop the Weightless SIG, told The Register: “I liked this. I thought it was clear, pitched at the right level and comprehensive without being over the top. It has lots of good references and picks up on everything I'd recommend to developers.”
He added: “Reading it all and then acting on all the recommendations is a huge task. But equally, missing out any might leave serious security loopholes in products.”
The Register asked the Cloud Security Alliance whether SMEs looking at the document would be overwhelmed by its length and detail.
"That's always a challenging problem when putting out guidance like this," Russell told us. "How much is too much? My advice to smaller firms is that they need to start somewhere. Two of the 13 steps that we mention stand out in that regard. First - for IoT developers that are already far along on the product lifecycle, look at recommendation #13 'Perform Security Reviews'. If you can at least have an independent organization test your product for security weaknesses, you will gain a lot of value."
And what should firms that have already rolled out insecure IoT kit do in light of this guidance?
"It's never too late to start," advised Russell. "If you think of these controls as somewhat cyclical, you can figure out where to jump in and start applying the concepts based on where you are in the product lifecycle."
He added: "Secure update should be a fundamental capability in all IoT devices and vendors need to think through the entire process - end-to-end."
El Reg also asked him: is the whole IoT shebang worth companies getting into as more and more security howlers come to light? Russell said yes, at length:
Right now we're seeing IoT products that provide lots of consumer benefits - enabling smart lighting in the home for example. The big payoff though will come when the IoT starts enabling trusted autonomous transactions to provide enhanced capabilities for businesses, streamlined services for municipalities, reduced casualties for drivers, quicker responses for emergency responders, etc. I think we need to go through these growing pains unfortunately in order to get to the other side where we can have some semblance of confidence that connected physical devices are locked down sufficiently to be safe.
The report can be downloaded in full from the CSA website. ®