One of my recent posts pointed out that many
(and perhaps most) connected devices (aka IoT devices) are far from secure. Furthermore,
it pointed out that because these devices are inherently “black boxes”, meant
to be managed by the manufacturer and the manufacturer alone, it’s difficult for
a user organization to learn what controls might or might not be in place in
the device. While a user can easily scan “standalone” software (i.e.
software the user installs on standard hardware and O/S platforms) and learn a lot about vulnerabilities in it, it’s very hard to
do that for a sealed device, especially if the user doesn’t even know what software
is installed inside it.
This is why, even more so than with
standalone software, it’s important for the user organization to learn what’s
inside the box they’re buying – both the good stuff (the capabilities included
in the device, including what is shown in a software bill of materials, or SBOM)
and the bad stuff (the software vulnerabilities that were also “included” in
the device); it’s also important for the user organization to learn about the
manufacturer’s security practices.
The more the user can learn about
the technical security controls and manufacturer practices before they purchase
the device, the easier it will be to decide a) whether or not to purchase a particular
device in the first place, and b) after they’ve decided they will
purchase it, what controls – both technical and procedural – they will need to
put in place, to compensate for security weaknesses that may be found in the
software or firmware installed in the product (or in the manufacturer’s
practices).
Questions about technical security controls include:
1.
Does the device allow a universal password? Of
course, if it does, that’s not a good thing.
2.
Are security updates applied automatically when
possible?
3.
Is standard cryptography utilized?
Questions about manufacturer security practices include:
1.
Does the manufacturer disable unused services?
2.
Has the manufacturer published
an end-of-life notification policy?
3.
Is there a “bug
bounty” program for security researchers who find vulnerabilities in the
product?
The best way for a user
organization to learn what technical controls and manufacturer practices are in
place for a connected device is if the device has received a previous
certification from an independent third party certifier. Because this requires
testing the device, not just asking the manufacturer about their practices, it
should be performed by a testing laboratory. Americans aren’t too familiar with
cybersecurity testing laboratories, but the labs are more common in Europe,
where they’ve been testing connected devices for years.
For more than one year, I’ve had
the pleasure of working with Red
Alert Labs (RAL), a leading European cyber
testing lab based in Paris. They provide assessments and certifications of connected
devices based on multiple standards, including IEC 62443, Common Criteria and ETSI
303 645.
Recently, RAL became one of only 8 organizations worldwide that have been selected to provide
certifications based on the standards developed by the ioXT Alliance,
the global standard for IoT security. Backed by the biggest names in technology
and device manufacturing, including Google, Amazon, T-Mobile, Comcast and more,
the ioXt Alliance is the only industry-led, global IoT device security and
certification program in the world. Devices with the ioXt SmartCert give
consumers and retailers greater confidence in a highly connected world.
Besides assessing and certifying connected
devices and their manufacturers, Red Alert Labs helps organizations that use
these devices to assess the cybersecurity risks they face from devices they are
considering for procurement. After procurement, RAL helps those organizations assess
and mitigate vulnerabilities identified in software and firmware installed in
the devices they use.
RAL will soon be helping user
organizations assess the IoT devices they use, based on the recently released NIST.IR 8425, “Profile of the IoT Core Baseline”. This document was
explicitly developed in response to Executive Order (EO) 14028 of May 2021, and
draws on a number of earlier IoT security documents – including the NIST.IR
8259 series. It also draws on the many comments
received by NIST last year in response to their request to the public after the
EO charged NIST with putting in place a program for IoT device cybersecurity.
NIST.IR 8425 is clearly meant to
be NIST’s main IoT cybersecurity guidance document for the foreseeable future,
as well as perhaps their answer to the IoT
Cybersecurity Improvement Act of 2020. I believe that
US-based public and private sector organizations will standardize on this
document as their primary means of assessing IoT device risk for the
foreseeable future.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment