Question: Do standards or labels exist that certify secure Internet of Things (IoT) systems?
Loren Browman, senior security consultant, Optiv: No federally approved testing body currently exists to certify IoT device security in the way we have come to expect UL testing to certify products for safety issues.
The IoT industry remains fragmented with a lot of players, big and small, churning out a lot of products. While these products may be cool and innovative, many are produced without a security budget and are not held to any IoT-specific security standards. We have certainly seen IoT security awareness campaigns from organizations such as NIST and well-laid-out guidelines from associations such as the GSMA and now ISO, but guidelines and recommendations are not the same as certifications or regulated standards.
Product security is an increasingly important topic as the number of devices continues to grow rapidly and we become more reliant on these products and systems to provide access and control over sensitive infrastructure.
When investing in any connected device at an industrial or consumer level, the following can be signs that the manufacturer values security and has implemented best practices throughout the development of its products:
- They engage in third-party product penetration tests.
- They leverage existing Platform as a Service (PaaS) IoT solutions from reputable companies, such as Microsoft Azure and Amazon Web Services, which have detailed documentation and extensive security mechanisms.
- They use secure hardware platforms with no known vulnerabilities.
- They use updatable firmware in the event a security issue is discovered and needs to be patched.
- They have transparent security policies and a straight-forward disclosure process.