By Logan Kugler (edited by Alan J Weissberger)
Companies making and using IoT sensors can have a high degree of confidence their technology uses the best security features and practices if they adhere to established, credible security standards. There are plenty of security standards that IoT devices can—or should—follow. Some are related to how IoT devices use networks and transmit data. Some are related to the underlying technologies IoT devices rely upon (such as Wi-Fi). Others offer comprehensive guidance on how to create and use IoT devices in a secure way.
One well-known IoT standard is ISO/IEC 30141 which “provides a standardized IoT Reference Architecture using a common vocabulary, reusable designs, and industry best practices.” Another IoT standard, TS 103645 from ETSI aims to create a security baseline for Web-connected devices, including guidelines for password usage, software updates, and user data standards for consumer IoT devices.
In another example, the U.S. National Institute of Standards and Technology (NIST) has created a list of six prescribed security characteristics that manufacturers should incorporate into IoT devices. The list includes security features such as device identification, device configuration features, data protection features, logical access to interfaces, adequate software and firmware updates, and adequate cybersecurity event logging.
There are dozens of organizations that publish helpful standards to guide IoT manufacturers and device customers on how to design, manufacture, and use IoT sensors and sensor-enabled devices in the safest way possible. However, the diversity of organizations and standards also presents problems.
Some standards organizations may aim to publish universal standards across different IoT technologies, while others may only publish standards for certain countries or devices and technologies. While these organizations are usually highly credible and undergo rigorous processes to ensure their standards are comprehensive, many such standards are not legally binding. However, there is no single, well accepted standard for IoT security. The existing standards are not always designed for the unique risks IoT technologies face, says Izzat Alsmadi, a computer science professor at Texas A&M University in San Antonio, who does work on IoT security. Existing standards may not adequately apply to significant numbers of IoT sensors, he explained, and some IoT devices and networks use proprietary technology that does not follow more widely accepted or used industry standards.
“Today’s IoT standards are relevant, but not enough and in some cases not up to date or not up to security challenges,” says Alsmadi. That’s because some of today’s existing security mechanisms were initially designed for desktop computers and are difficult to implement on resource-constrained IoT devices, he says. There also is the problem of compliance. Standards are often voluntary—and many companies do not adhere to them due to business pressures.
“Currently, the IoT segment sacrifices security due to resource allocation and price,” says Marion Marincat, founder and CEO of Mumbli, an IoT company. It is often faster and cheaper to limit security options in order to get to market, he says. As such, the standards for IoT mainly end up being adopted by the companies with deep-enough pockets and wide-enough competitive moats to afford to implement better security in their devices.
“Although there are a lot of methods to design low-cost devices with security in mind, business decisions usually push back the implementation for these solutions in order to speed up the route to market or reduce the price of devices even further,” says Marincat.
The issues with IoT sensor standards have larger implications for the overall security of the Internet of Things.
“The Internet of Things is very vulnerable in comparison with other categories of information systems,” says Alsmadi, because so many IoT applications are publicly visible and can be remotely controlled.
These vulnerabilities become even more pronounced as the adoption of IoT grows, especially as the industrial Internet of Things becomes a growing attack vector.
“The biggest change in operational technology systems over the past decade is that they have recently become more vulnerable to attacks from the outside as they are moving away from isolated, air-gapped environments and embracing more automation and digitally connected devices and systems,” says Fortinet’s Nelson.
Industrial IoT devices often run on hardware with little or no management interface and often are not able to be upgraded in the field. Physically, IoT devices in industrial use-cases frequently are installed in hard-to-reach or publicly inaccessible places (such as on top of a building). As such, they must be able to operate unattended for long periods and be resistant to physical tampering, he says.
“An attack on industrial IoT, especially on a device or system used to monitor critical operations and processes, can have a very significant impact on not only the business itself but also on the environment, even on the health and safety of staff and the public at large,” Nelson says.
Marincat advocates rolling out minimum standards to broad categories of IoT devices, but acknowledges many manufacturers will still see complying with such standards as a luxury in a competitive marketplace.
However, even with smarter standards approaches, making security updates to combined IoT software/hardware can be slower and more complicated than bug fixes and security updates for software alone. One possible fix is having companies adopt smarter risk-mitigation policies in how they use IoT devices, says Nelson. Companies should consider employing a zero-trust access (ZTA) model that verifies users and devices before every application session. “Zero-trust access confirms that users and devices meet the organization’s policy to access that application and dramatically improves the organization’s overall risk posture,” he says.
Nelson also recommends companies use micro-segmentation in their networks. This approach segments and isolates attack surfaces into specific zones. Data flows are then controlled into these zones. The result is companies can limit attacks to a small subset of the business, minimizing the chance bad actors move laterally through networks into other core business functions.
Even basic risk mitigation techniques can help. Other popular risk mitigation techniques employed by businesses include encrypting internet connections, using alternate networks in addition to primary ones, and investing in higher-quality (and more costly) devices from companies that have, in turn, invested in stronger IoT security. Despite all this, however, the vast majority of organizations can still expect at least one cybersecurity attack attempt in a given year. Research from Fortinet found only 6% of organizations experienced no cybersecurity intrusions in 2022.
Putting better cybersecurity measures in place still requires proactive, voluntary compliance from companies—compliance that has not always been forthcoming in the past. While the need for speed may win markets, it is not going away as a major obstacle to safer IoT devices and networks. That leaves experts skeptical about just how much of the problem can be solved by expanded standards—and how much is a result of human nature and incentives in the technology sector. “We tend to rush and enjoy advances in technology, then deal with security problems later on or when they become serious,” says Alsmadi.
Communications of the ACM, June 2023, Vol. 66 No. 6, Pages 14-16
2022 State of Operational Technology and Cybersecurity Report, Fortinet, Jun. 21, 2022, https://bit.ly/3G6HTDO
IoT Standards and Protocols Explained, Behrtech, https://behrtech.com/blog/iot-standards-and-protocols-explained
Number of IoT connected devices worldwide 2019–2021, with forecasts to 2030, Statista, Nov. 22, 2022, https://www-statista-com.libproxy.scu.edu/statistics/1183457/iot-connected-devices-worldwide