New Guide Offers Advice on Securing Internet of Things Products

The Cloud Security Alliance working group on the Internet of Things (IoT) released new guidance this week for securing the IoT product ecosystem. The 80-plus page guide is titled: 'Designing and Developing Secure IoT Products.' The report offers 13 recommendations to raise the overall security level of IoT products and services.

by Dan Lohrmann / October 9, 2016

As more and more devices enter cyberspace, the online security concerns are growing just as fast. In fact, new Internet of Things (IoT) devices are being taken over and used as attack vectors. Here are some top DDoS stories from the past few months:

June 2016 — IoT Botnet — 25,000 CCTV Cameras Hacked to launch DDoS Attack

Excerpt: “The Internet of Things (IoTs) or Internet-connected devices are growing at an exponential rate and so are threats to them. Due to the insecure implementation, these Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Set-top boxes, Security Cameras and printers, are routinely being hacked and used as weapons in cyber attacks.”

September 2016Security man Krebs' website DDoS was powered by hacked Internet of Things botnet

Excerpt: “The huge distributed denial of service (DDoS) attack which wiped security journalist Brian Krebs' website from the internet came from a million-device-strong Internet of Things botnet.

‘Attack appears to include numerous IoT devices, including security cameras. Still itemizing them,’ an Akamai spokesman told El Reg by email.”

October 2016DDoS attacks using IoT devices follow The Manchurian Candidate model

Excerpt: “Hackers use a similar model for Distributed Denial of Service (DDoS) attacks using IoT devices. This process has four phases.

  1. Capture: Identify and take over control of IoT devices
  2. Subvert: Reprogram the device to conduct malicious acts
  3. Activate: Instruct the hacked device to launch attack
  4. Attack: Launch the DDoS attack”

Check out this video with a practical example of how DVR devices are insecure by default:

Solutions Please?

So what can be done to secure IoT? This is an urgent question that is being asked all around the world, and thankfully, some practical answers are now emerging.

The Cloud Security Alliance (CSA) released a new guidance report titled Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products this week. The guide helps designers and developers of Internet of Things (IoT) related products and services understand the basic security measures that must be incorporated throughout the development process. 

“It is often heard in our industry that securing IoT products and systems is an insurmountable effort,” said Brian Russell, Chair IoT Working Group and Chief Engineer, Cyber Security Solutions with Leidos. “However, with the help of our extremely knowledgeable and dedicated volunteers, we are providing a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices, as well as newly emerging IoT startups. We hope to empower developers and organizations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products.”

According to a press release issued on Oct. 7, 2016, the report lays out 13 considerations and guidance for designing and developing reasonably secure IoT devices, to mitigate some of the more common issues that can be found with IoT device development. Additionally, realizing that oftentimes there is a need to quickly identify the critical security items in a product development life cycle, researchers also outline the top five security considerations that, when applied, will begin to increase an IoT product’s security posture substantially. 

Additionally the report lays out guidance in the following areas:

  1. A discussion on IoT device security challenges.
  2. Results from an IoT security survey conducted by the CSA IoT Working Group.
  3. A discussion on security options available for IoT development platforms.
  4. A categorization of IoT device types and a review of a few threats.
  5. Recommendations for secure device design and development processes.
  6. A detailed checklist for security engineers to follow during the development process.
  7. A set of appendices that provide examples of IoT products mapped to their relevant threats.

The CSA IoT Working Group focuses on understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations. Nearly 30 CSA IoT working group members contributed to development of the 80-plus-page guidance report.

The full report is freely available at https://cloudsecurityalliance.org/download/future-proofing-the-connected-world/

More Details on the 13 CSA Steps to Develop Secure IoT Products

Here are the 13 steps listed to develop secure IoT products, according to CSA. Each of these steps are described in detail in the report — with multiple sub-steps and items under each area.

  • Secure Development Methodology
  • Secure Development and Integration Environment
  • Identity Framework and Platform Security Features
  • Establish Privacy Protections
  • Hardware Security Engineering
  • Protect Data
  • Secure Associated Apps/Services
  • Protect Interfaces/APIs
  • Provide Secure Update Capability
  • Implement Secure Authentication
  • Establish Secure Key Management
  • Provide Logging Mechanism
  • Perform Security Reviews

Final Thoughts

As I travel the country, I see and hear conflicting stories regarding the Internet of Things (IoT), big data and other new technologies being deployed.

On the one hand, new innovative opportunities are offering amazing new products, services and smart city solutions.

On the other hand, new DDoS stories and continuing data breach headlines reveal that the "bad guy" hackers are currently way ahead of the IoT product manufacturers.

This new CSA Guide is a welcome development in the IoT product space. However, the answers provided are not easy to implement. There are no quick fixes for these vulnerabilities.

Nevertheless, I applaud these efforts and highly recommend readers to download, review and use this material.