Security risks of IoT
The Internet of Things is already beginning to transform consumer, business and industrial processes and practices. Some of the high level needs for IoT product security include the need to:
- Protect consumer privacy and limit exposure of PII and PHI
- Protect business data and limit exposure of sensitive information
- Safeguard against IoT products being used in DDoS attacks or as launching points into the network
- Guard against damage or harm resulting from compromise of cyber-physical systems
What is CSA doing to help secure IoT?
The IoT Working Group's mission is dedicated to understanding relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their IoT ecosystem. This includes outlining best practices for securing IoT implementations, identifying gaps in standards coverage for IoT security, and identifying threats to IoT devices and implementations.
Other organizations working with CSA to secure IoT.
CSA is working to secure IoT in collaboration with OWASP, Securing Smart Cities, UL, IoT Security Foundation, the Industrial IoT Consortium, U.S. Federal Communications Commission (FCC) and Samsung Robotic Laboratories.
Research for Securing the Internet of Things
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Future Proofing the Connected World
An IoT system is only as secure as its weakest link. This document provides actionable and useful guidance for securing the individual products that make up an IoT system - to raise the overall security posture of IoT products. It should be especially useful for organizations that have begun transforming their existing products into IoT-enabled devices. That is, manufacturers that do not have the background and experience to be aware of the myriad ways that bad guys may try to misuse their newly connected equipment. Those in the startup communities will also find this guide useful. Startups in the connected product/system space are challenged with getting their products to market quickly. Finding the right talent to help secure those products early in the development cycle is not an easy task. This document provides a starting point for creating a security strategy to help mitigate at least the most pressing threats to both consumer and business IoT prod...
CSA IoT Security Controls Framework
The Internet of Things (IoT) Security Controls Framework introduces the base-level security controls required to mitigate many of the risks associated with an IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies. The IoT Security Controls Framework provides utility across many IoT domains from systems processing only “low-value” data with limited impact potential, to highly sensitive systems that support critical services. The Framework also helps users identify appropriate security controls and allocate them to specific components within their IoT system. For instructions on how to use IoT Security Controls Framework spreadsheet, there is a companion guide. The companion guide explains how to use the framework to evaluate and implement an IoT system for your organization by providing a column by...
IoT Firmware Update Processes
The traditional approach to updating software for IT assets involves analysis, staging and distribution of the update—a process that usually occurs during off-hours for the business. These updates typically have cryptographic controls (digital signatures) applied to safeguard the integrity and authenticity of the software. However, the Internet of Things (IoT)—with its vast ecosystem of connected devices deployed in many environments—introduces complexities associated with the update process that drives the need for process re-engineering. To answer that call, the Cloud Security Alliance IoT Working Group has compiled key recommendations for establishing a secure and scalable IoT update process. This document provides guidelines that developers and implementers can fully or partially integrate. Suggestions can be adapted and designed for custom firmware update processes that recognize unique constraints, dependencies, and risks associated with products a...