The Anti-Malware Testing Standards Organization (AMTSO) unveiled a list of proposed publishing standards for testing the efficacy of IoT security solutions.
AMTSO’s guidelines are intended to help organizations evaluate which tools are most effective and best suited to their environment. The document outlines six key areas:
- General principles: All tests and benchmarks should focus on validating the end result and performance of protection delivered, instead of how the product functions on the backend.
- Sample selection: For a relevant test of IoT security solution benchmarking, testers need to select samples that are still active, and that actually target the operating systems smart devices are running on.
- Determination of "detection": Because of the differences between IoT security and traditional cybersecurity solutions, the guidelines suggest to use threats with admin consoles that can be controlled by the tester or to use devices where the attack will be visible if it happens.
- Test environment: If the tester decides against using real devices in the testing environment, they should validate their approach by running their desired scenario with the security functionality of the security device disabled and checking the attack execution and success.
- Testing of specific security functionality: The guidelines provide advice on different attack stages, including reconnaissance, initial access, and execution, and suggest testing each stage individually rather than going through the whole attack at once.
- Performance benchmarking: The guidelines suggest differentiating between various use cases such as consumers vs. businesses, or the criticality of latency or reduced throughput per protocol, which depends on its purpose.
There's a lot of diversity in IoT devices, making it difficult to create a one-size-fits-all approach to security, says Tony Goulding, cybersecurity evangelist at Delinea. Some devices lack computational capacity, and not being able to deploy security agents or clients on the devices makes it difficult to enforce a centralized and consistent set of security policies.
"Threat actors recognize this and exploit the fact that these devices are particularly vulnerable to malware," he says. "As a security community, we strive to eliminate or choke vectors of attack that can give adversaries illicit access to our infrastructure, resulting in a data breach, ransomware attack, or taking critical OT infrastructure offline."
Industry regulations like PCI, HIPAA, and SOX focus on security and privacy guidelines in order to protect access to sensitive data and systems in traditional IT environments, Goulding says. Organizations should prioritize IoT products from vendors who have undergone such testing to help ensure such risks are mitigated in their product.
"Similarly, it's important to protect access to IoT devices that are used in sensitive environments," he says. "With no equivalent set of regulations, the AMTSO guidelines represent a step in the right direction to help IoT vendors test their products' ability to detect and prevent attacks."
Secure IoT Critical for Organizations
Many cybercriminals target IoT devices as their point of entry because they enable lateral movement within corporate networks, says Bud Broomhead, CEO at Viakoo. While security for vulnerable IoT devices is critically important for enterprises, the fact remains that IoT devices often lack automated methods for patching vulnerabilities, updating the firmware and digital certificates, or changing built-in passwords.
"Breached IoT devices are having devastating impacts, such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems," he says.
Because devices are so distributed and often of different makes and models, manually managing device security across multiple locations for cameras, kiosks, intercoms, and other equipment can be very difficult to accomplish at scale.
Goulding says while the proposed guidelines are a step in the right direction, more and stronger standards, widely enforced, are required. There's some progress, with Europe's ETSI EN 303 645 and California's "Security of Connected Devices" law. NIST in the US has pilot programs for cybersecurity labeling of consumer IoT devices.
"Until then, vendors and industry sectors will have different priorities," Goulding says.