The Internet of Things is already beginning to transform consumer, business and industrial processes and practices. Some of the high level needs for IoT product security include the need to:
- Protect consumer privacy and limit exposure of PII and PHI
- Protect business data and limit exposure of sensitive information
- Safeguard against IoT products being used in DDoS attacks or as launching points into the network
- Guard against damage or harm resulting from compromise of cyber-physical systems
The IoT Working Group's mission is dedicated to understanding relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their IoT ecosystem. This includes outlining best practices for securing IoT implementations, identifying gaps in standards coverage for IoT security, and identifying threats to IoT devices and implementations.
CSA is working to secure IoT in collaboration with OWASP, Securing Smart Cities, UL, IoT Security Foundation, the Industrial IoT Consortium, U.S. Federal Communications Commission (FCC) and Samsung Robotic Laboratories.
This working group focuses on understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations.
Feb 01, 2022, 08:00AM PST
Join the Meeting
Working Group Leadership
Aaron is a passionate information security professional specializing in IoT, embedded, and automotive security. He is co-author of the “IoT Penetration Testing Cookbook” and a technical editor for the "Practical Internet of Things Security” Packt Publishing books. Aaron is co-chair of CSA’s IoT working group as well as a leader for OWASP’s IoT and Embedded Application Security projects; providing practical guidance to address the most commo...
Brian Russell is co-author of the book “Practical Internet of Things Security” and is a Chief Engineer focused on Cyber Security Solutions for Leidos (www.leidos.com). He oversees the design and development of security solutions and the implementation of privacy and trust controls for customers. Brian leads efforts that include security engineering for Unmanned Aerial Systems (UAS) and Connected Cars, and the development of hig...
Research for Securing the Internet of Things
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Future Proofing the Connected World
An IoT system is only as secure as its weakest link. This document provides actionable and useful guidance for securing the individual products that make up an IoT system - to raise the overall security posture of IoT products. It should be especially useful for organizations that have begun transforming their existing products into IoT-enabled devices. That is, manufacturers that do not have the background and experience to be aware of the myriad ways that bad guys may try to misuse their newly connected equipment. Those in the startup communities will also find this guide useful. Startups in the connected product/system space are challenged with getting their products to market quickly. Finding the right talent to help secure those products early in the development cycle is not an easy task. This document provides a starting point for creating a security strategy to help mitigate at least the most pressing threats to both consumer and business IoT...
CSA IoT Security Controls Framework v2
The Internet of Things (IoT) Security Controls Framework introduces the base-level security controls required to mitigate many of the risks associated with an IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies. The IoT Security Controls Framework provides utility across many IoT domains from systems processing only “low-value” data with limited impact potential, to highly sensitive systems that support critical services. The Framework also helps users identify appropriate security controls and allocate them to specific components within their IoT system. For instructions on how to use IoT Security Controls Framework spreadsheet, there is a companion guide. The companion guide explains how to use the framework to evaluate and implement an IoT system for your organization by providing a colu...
IoT Firmware Update Processes
The traditional approach to updating software for IT assets involves analysis, staging and distribution of the update—a process that usually occurs during off-hours for the business. These updates typically have cryptographic controls (digital signatures) applied to safeguard the integrity and authenticity of the software. However, the Internet of Things (IoT)—with its vast ecosystem of connected devices deployed in many environments—introduces complexities associated with the update process that drives the need for process re-engineering. To answer that call, the Cloud Security Alliance IoT Working Group has compiled key recommendations for establishing a secure and scalable IoT update process. This document provides guidelines that developers and implementers can fully or partially integrate. Suggestions can be adapted and designed for custom firmware update processes that recognize unique constraints, dependencies, and risks associated with produ...