Last Updated on November 17, 2020
Possibly the only thing expanding more rapidly than the Internet of Things (IoT) is concern about how to secure it. The IoT has morphed far beyond simple IP-connected sensors—to encompass any network-connected physical device or service that is remotely controllable via an application. (Yes, that includes smartphones, tablets, etc.)
What best-practice guidance is available to help organizations understand how to secure their IoT environments?
One new framework that’s been exceptionally well-received is the IoT Security Controls Framework, released in March 2020 by the Cloud Security Alliance (CSA). “And if we remember that initial wave of IoT devices that went out with default administrative passwords that weren’t changed by default, and we saw huge vulnerabilities and exploits there,” adds John. “It’s things like this that we can still give manufacturers guidance on, as well as the implementers and the administrators and the architects.”
On a recent episode of The Virtual CISO Podcast focused on IoT security, special guests Aaron Guzman and John Yeoh brought us up to speed on the new framework, including who it’s for and how it’s intended to be applied. Aaron co-chairs CSA’s IoT Working Group, and is product security lead at Cisco Meraki, while John is Global VP and head of research at CSA.
“The framework was initially designed for system developers who are implementing an IoT system in an enterprise, as well as designing an IoT architecture,” Aaron relates. “So not necessarily from the manufacturer perspective unless you are, let’s say, creating a custom feature using an API, and now you know you have to undergo certain security processes to ensure you’re not introducing new vulnerabilities. So it’s really holistic from process to technical controls to even safety and privacy.”
“Talking about the [CSA’s] Cloud Controls Matrix as a security control framework with high-level objectives for security and cloud and cloud supply chain… the IoT framework can be done in a similar way… But if you look at even some of the device layer controls in there, too, they can be very specific to at least manufacturers’ understanding. Like, ‘Hey, remember, there are some default principles when it comes to the manufacturers sending these devices to customers.’”
“And if we remember that initial wave of IoT devices that went out with default administrative passwords that weren’t changed by default, and we saw huge vulnerabilities and exploits there,” adds John. “It’s things like this that we can still give manufacturers guidance on, as well as the implementers and the administrators and the architects.”
But does the new CSA framework cover all the pieces of today’s IoT puzzle—from the device to the configuration/control app on a smartphone or PC client to associated embedded web services and APIs on the device to the cloud infrastructure (which could include APIs, web apps, ecosystem partner services, etc.) and beyond?
“We have 21 different domains that holistically address that [ecosystem],” says Aaron. “Nowadays, you have Terraform. You have all Docker containers and files. You have these YAML files… But we even go as far as to give legal considerations its own domain, which I think really sets it apart from other pieces of guidance and best practices and documents out there.”
Regarding the CSA IoT Framework domains, Aaron recaps: “We start with knowing what you have; asset management is the number one control domain. Because you can’t protect what you don’t know you have, and you don’t know how to protect it if you don’t even know the versioning of it. So we start from asset management, configuration management, secure connections, and all the way down to security testing and the different types of security testing. Which is, I might add, one of the newest sections that we’ve included in Version 2 [soon to be in peer review as of this writing]. Security testing could be not only penetration testing, red teaming, but also third-party assessments…”
John also notes that all the framework controls are applied architecturally; that is, to the devices, networks, gateway, applications, etc. per their context within the overall architecture. But speaking of context, why is the IoT context so different from cloud in general that a separate security framework is even necessary?
John explains: “We already talked about how different the networks are, having these LANs and PANs that you need to worry about. So you’ve got all these different kinds of Bluetooth, ZigBee and other sorts of short-area, wireless networks. You have the messaging protocols that are different between these devices because, again, these devices are tiny, so we need to change messaging protocols. We need to change encryption protocols, certificate types… there’ so many things that can go into changing this ecosystem to where we really felt like a framework needs to pay attention to these details of IoT. What makes IoT different [from cloud] is all these devices that we talked about—and this framework highlights those things.”
But as podcast host John Verry, Pivot Point Security’s CISO and Managing Partner, points out: “This is an emerging field, and for anyone to say that they’re experts in it or they have everything figured out and they do everything perfectly, it would be a foolish thing to say at this point. I think we’re all still learning.”
If you are concerned about securing IoT, don’t fail to catch our podcast with Aaron Guzman and John Yeoh.
To hear the show from start to finish, and browse our many other cybersecurity podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.