Last Updated on September 22, 2020
New regulations like California State Bill 327 (SB 327) plus pressure from customers and ecosystem partners make cybersecurity assessment a business-critical requirement for many Internet of Things (IoT) device manufacturers.
With expert guidance and a proven process tailored to your specific needs, you can pinpoint any security gaps in your IoT ecosystem and understand how best to address them. You can then attest with confidence to customers, partners and other stakeholders you can keep their data secure and uphold their compliance requirements.
This post shares the cost range for IoT device/service security testing and explains the drivers that could influence your final cost.
How much does an IoT security assessment cost?
Costs for 90% of our clients fall between these figures:
- $8,000 to $10,000 on the low end for a simple IoT device tested against a limited set of requirements, all the way up to…
- $95,000 on the high end to fully test a complex ecosystem of connected devices and software.
Within that very broad range, your actual costs will largely depend on the complexity/scope of your offering and the number of requirements and/or controls you need to test against.
Cost drivers for an IoT security assessment
The following factors can influence the cost of assessing security for an IoT solution:
- Device scope/complexity
Do you need to test just one device, a family of devices or multiple/interoperable devices?
- Device interface scope/complexity
Does the solution include a mobile app, thick client application and/or web interface (e.g., logging into Nest to see thermostat data)?
- Cloud component
Does the solution utilize cloud APIs or a cloud component and/or cloud-based third-party services (e.g., Cradlepoint)
- Testing scope
How many requirements/controls do we need to test against (California SB 327, OWASP IoT Top 10, OWASP Application Security Verification Standard (ASVS) Level 1, OWASP ASVS Level 2, etc.)? Assessing compliance with more complex regulations or frameworks increases cost. Doing code review also increases cost.
Example IoT security assessment scenarios:
Here are some simplistic examples that illustrate how increasing solution complexity can increase IoT security testing complexity and cost:
- An example of a lower-cost scenario would be testing a relatively simple IoT device like a smart speaker against a relatively small number of requirements, such as a subset of the Amazon Alexa certification requirements.
- A similarly low-cost scenario would be testing a single device against CA SB 327 requirements.
- A somewhat more complex scenario would encompass not just one device but a family/ecosystem of multiple devices that all interact, which would require testing multiple device-to-device communication pathways.
- Another step up in complexity would be testing more complex devices with more logical and/or physical ports, inclusion of an embedded web server, inclusion of a device-specific API, etc.
- A further step up in complexity would be adding a mobile app, web client or thick client software that is used to configure or operate the device.
- Leveraging the cloud adds security testing complexity, including the need for a vulnerability assessment of the physical network and server infrastructure. If cloud APIs are used, these also need to be tested.
- Tying into third-party/cloud services also increases the testing scope; e.g., using Cradlepoint as a connectivity provider, or a smart speaker connecting to Pandora. These communication links would need to be tested to ensure that the device ecosystem as a whole is secure.
- A significant cost factor is testing against more controls; e.g., CA SB 327 versus the OWASP IoT Top 10 versus the more extensive OWASP ASVS Level 2, etc.
- Another significant cost factor is the need for firmware or software code review, which requires expert resources.