How can you make sure your connected devices are secure?

One of my recent posts pointed out that many (and perhaps most) connected devices (aka IoT devices) are far from secure. Furthermore, it pointed out that because these devices are inherently “black boxes”, meant to be managed by the manufacturer and the manufacturer alone, it’s difficult for a user organization to learn what controls might or might not be in place in the device. While a user can easily scan “standalone” software (i.e. software the user installs on standard hardware and O/S platforms) and learn a lot about vulnerabilities in it, it’s very hard to do that for a sealed device, especially if the user doesn’t even know what software is installed inside it.

This is why, even more so than with standalone software, it’s important for the user organization to learn what’s inside the box they’re buying – both the good stuff (the capabilities included in the device, including what is shown in a software bill of materials, or SBOM) and the bad stuff (the software vulnerabilities that were also “included” in the device); it’s also important for the user organization to learn about the manufacturer’s security practices.

The more the user can learn about the technical security controls and manufacturer practices before they purchase the device, the easier it will be to decide a) whether or not to purchase a particular device in the first place, and b) after they’ve decided they will purchase it, what controls – both technical and procedural – they will need to put in place, to compensate for security weaknesses that may be found in the software or firmware installed in the product (or in the manufacturer’s practices).

Questions about technical security controls include:

1.      Does the device allow a universal password? Of course, if it does, that’s not a good thing.

2.      Are security updates applied automatically when possible?

3.      Is standard cryptography utilized?

Questions about manufacturer security practices include:

1.      Does the manufacturer disable unused services?

2.      Has the manufacturer published an end-of-life notification policy?

3.      Is there a “bug bounty” program for security researchers who find vulnerabilities in the product?

The best way for a user organization to learn what technical controls and manufacturer practices are in place for a connected device is if the device has received a previous certification from an independent third party certifier. Because this requires testing the device, not just asking the manufacturer about their practices, it should be performed by a testing laboratory. Americans aren’t too familiar with cybersecurity testing laboratories, but the labs are more common in Europe, where they’ve been testing connected devices for years.

For more than one year, I’ve had the pleasure of working with Red Alert Labs (RAL), a leading European cyber testing lab based in Paris. They provide assessments and certifications of connected devices based on multiple standards, including IEC 62443, Common Criteria and ETSI 303 645. RAL is also involved with the European Union Agency for Cybersecurity (ENISA) to develop the EUCC scheme for ICT products and EUCS scheme for Cloud services in the context of the Cybersecurity Act.

Recently, RAL became one of only 8 organizations worldwide that have been selected to provide certifications based on the standards developed by the ioXT Alliance, the global standard for IoT security. Backed by the biggest names in technology and device manufacturing, including Google, Amazon, T-Mobile, Comcast and more, the ioXt Alliance is the only industry-led, global IoT device security and certification program in the world. Devices with the ioXt SmartCert give consumers and retailers greater confidence in a highly connected world.

Besides assessing and certifying connected devices and their manufacturers, Red Alert Labs helps organizations that use these devices to assess the cybersecurity risks they face from devices they are considering for procurement. After procurement, RAL helps those organizations assess and mitigate vulnerabilities identified in software and firmware installed in the devices they use.

RAL will soon be helping user organizations assess the IoT devices they use, based on the recently released NIST.IR 8425, “Profile of the IoT Core Baseline”. This document was explicitly developed in response to Executive Order (EO) 14028 of May 2021, and draws on a number of earlier IoT security documents – including the NIST.IR 8259 series. It also draws on the many comments received by NIST last year in response to their request to the public after the EO charged NIST with putting in place a program for IoT device cybersecurity.

NIST.IR 8425 is clearly meant to be NIST’s main IoT cybersecurity guidance document for the foreseeable future, as well as perhaps their answer to the IoT Cybersecurity Improvement Act of 2020. I believe that US-based public and private sector organizations will standardize on this document as their primary means of assessing IoT device risk for the foreseeable future.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.