March 25, 2022

Last Updated on January 15, 2024

Sparked like new laws like California’s SB 327 mandating basic IoT device security, combined with growing security concerns in the market, more IoT device manufacturers are taking steps to improve security. Some are leveraging or aligning with trusted standards like the OWASP IoT Security Verification Standard (ISVS) and the Cloud Security Alliance (CSA) IoT Security Controls Framework.

How meaningful are these security claims? As an organization purchasing IoT devices, what should you be looking for (or reasonably expect) from vendors?

On a recent episode of The Virtual CISO Podcast, hardware hacker Joe Grand, widely known as Kingpin, explains where he sees IoT vendors heading with security, and how to get the most benefit from their efforts. Hosting the show is Pivot Point Security’s CISO and Managing Partner, John Verry.

Validation and testing

What should someone look for in terms of security when purchasing an IoT device?

Joe has two responses to that question: “First, question the vendor, to basically have them show you what they’ve done to properly secure their device. But my second recommendation would be that before you implement anything, you need to test it and validate it and understand it on your own.”

But few businesses have the resources to do independent IoT security testing. This testing is generally performed as a third-party specialist service performed by firms like Pivot Point Security frequently on behalf of customers.

Alignment with IoT security standards

While Joe is skeptical about alignment with or verification against IoT security standards, he acknowledges that it’s better than nothing, albeit not definitive. A vendor that’s tested against a trusted standard is still better than a vendor that’s done limited to no testing.

Who’s evaluating the device, and who’s evaluating the evaluator? “There have been plenty of things that passed tests that shouldn’t have,” Joe asserts. “Or something passes the testing and then in production manufacturing, elements change.”

“I think vendors are going to use these certifications to say, ‘This is what we’ve done,’” clarifies Joe. “You want to put the onus on the product vendor to prove that they’ve anticipated the physical access or remote access. Even at a high level, though, I think the purchaser or the implementor can question the vendors and not only ask to see their results, but also ask if they’re worried about remote access… because they’re going to need legit remote access. At least understand some of the threats that can happen and then push that onto the vendor and say, ‘Okay, how are you protecting me against these things?’”

Besides interviewing vendors and doing some kind of evaluative testing whenever possible, John suggests thinking about compensating controls for areas where you’re not feeling 100% comfortable.

Security is implementation specific

Adding to the challenge of validating IoT security is that often product security is implementation dependent.

“What might appear to be secure or suitably secure for one environment might not be the same for another,” Joe says. “Going back to the parking meter example, the City of San Francisco purchased those parking meters from the vendor, and they were totally relying on what the vendor told them about the meters. Yes, they were designed against vandalism and all these physical destruction types of things. But they didn’t promise anything about the security of the smart card implementation. And the city ended up getting the brunt of the problem because people were creating fake smart cards. And the implementation was really easy to hack. But if the City had maybe said, ‘Okay, how is this secure against people creating fake smart cards?’ then that would make the vendor responsible to explain that. It really shows you that if you’re not able to ask the vendor questions, the vendor might not actually understand your implementation enough to protect against those risks.”

“This is all fundamental risk management,” John restates. “It’s risk management on their side, and it’s risk management on your side and understanding the context, understanding your particular use of said product, your technology stack, your capabilities to monitor and maintain the environment and all that fun stuff. And then understanding where the critical risks are and how to effectively manage them.”

What’s Next?

To listen to the complete podcast episode with Joe Grand, click here:  

Want more expert guidance on how to apply risk management to your IoT environment? This recent podcast is perfect: