IoT Security

Ensure Your IoT Products are Secure & Compliant with Pivot Point Security

Home » IoT Security

Pivot Point Security provides IoT security services to IoT device manufacturers to ensure that those devices comply with relevant guidance (e.g., CA SB-327, OWASP ISVS, ENISA) and are deployed and maintained in a secure state. Our team of security professionals will work together with yours to identify potential risks associated with your IoT infrastructure, develop strategies for mitigating those risks, and test the devices, clouds, applications, mobile applications, and partner services that are integral to your IoT ecosystem. With Pivot Point Security’s expertise in IoT security solutions, you can count on us to help you achieve a provably secure and compliant IoT security posture.

Ensure Your IoT Products are Secure & Compliant with Pivot Point Security

Talk to an IoT Security Expert

What is IoT Security?

IoT security is the ongoing process of ensuring that Internet of Things connected devices, and the networks they’re connected to, are safe from cyber threats.

The Internet of Things, or IoT, refers to the billions of physical devices worldwide that are now connected to the internet, collecting and sharing data. Virtually any device you can imagine is, or will eventually become, part of the IoT (e.g., planes, cars, pills, speakers, TV’s, refrigerators, insulin pumps, light bulbs). This adds a level of unimaginable digital intelligence to this “network of devices” that would be otherwise dumb, enabling them to communicate and support near-real-time automated analytics-driven decisions and actions.

Its promise is limitless; it will transform major sectors of our lives including building automation, agriculture, energy, transportation, and medicine. Its peril is nearly as limitless; necessitating new approaches to the secure design, manufacturing, deployment, use, and validation of our respective IoT footprints.

Sun Tzu once said, “If ignorant both of your enemy and yourself, you are certain to be in peril”, well said, and as true today as it was 2,500+ years ago.

IoT is an ecosystem. IoT often has three components: clouds, applications and devices. The cloud component can be complex as it often consists of networks and its own applications. At the application level, there could be a web app and/or there could be an API. At the mobile component level is a mobile app or a thick client that are used to configure and control the devices that will also consume the API(s) from the cloud. And then you’ve got the device itself and the device itself can have an embedded web server, it might have its own API. It may talk to mobile devices through the mobile app and there may be multiple devices in the ecosystem”

John Verry, Managing Partner at Pivot Point Security

Check if Your IoT is Secure and Compliant

How Does IoT Security Differ from Traditional Network Security?

IoT differs from conventional (human + PC) computing in four major ways:

Device autonomy. Communications across the IoT are often device-to-device, taking action based on data with little to no human intervention.
Use cases for endpoints. IoT devices monitor and control an almost unlimited spectrum of events across industrial processes, military technology, buildings, homes, vehicles… even the “Internet of Bodies” (IoB).
Scale and complexity. Tens of billions of IoT devices generating tens of zetabytes of data daily creates a vast attack surface, plus a nearly infinite web of interoperability.
Potential impact of a security event. The scale and interconnectedness of the IoT means the potential impact of a security breach of a critical IoT system could be equally massive—crippling enterprises, toppling economies or causing life-threatening catastrophes.

Download the IoT Mini Case Study

See the Difference in Action: IoT vs. Traditional Security

Download the IoT Mini Case Study

The 3 Fundamentals of IoT Security

Although IoT security can appear more complex (for good reason) the fundamentals of information security still directly apply in the world of IoT:

Protect the Device – Ensure the physical & logical security of the device

Need to protect:

Physical Tampering – Device intrusion
Physical Interfaces – USB, ethernet, serial, etc.
Logical Interfaces – Zigbee, WiFi, BLE, etc.
Device Security – Minimize physical access

Protect the Cloud – Ensure the Confidentiality, Integrity, & Availability of data & communications

Trust, But Verify – Authenticate and authorize all communications
Secure Protocols – Leverage proven approaches (eg. TLS, SSH)
Encrypt – Protect data commensurate with its classification & requirements
Log & Monitor – Keep in accordance with fault & security management objectives

Protect the Application(s) – Ensure they defend against advanced application security vulnerabilities

Validate All Input – Server side validate all communications
Solution Architecture – In accordance with regulations, best practice, & risk assessment
Bake Security in SDLC – From security requirements to security certification testing
Address All Modalities – API, browser, mobile, agents, & firmware

Understanding Risk in IoT Isn’t Very Different (but it is notably more important)

Greater Impact Requires Stronger Risk Management Processes

“Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle … “, NIST 8228

IoT Risks Are Effectively Mitigated by Strong Scoping & Risk Analysis

Well characterized risk is essential to determining where to optimally apply critical security controls to mitigate IoT risk to a reasonable, appropriate & acceptable level.

Contact an IoT Expert

How Can You Prove Your IoT is Secure?

How can organizations demonstrate to customers, business partners, their boards and other stakeholders that their expanding IoT environments are secure and can remain so?

Some key steps to ensure IoT security include:

Leveraging proven frameworks for information security and privacy that encompass IoT, such as ISO 27001, ISO 27701 and NIST 8259
Leveraging a proven web application security framework like the OWASP Application Security Verification Standard (ASVS), to protect the software on IoT devices
Taking advantage of expert guidance and a proven process to assess your IoT security ecosystem and prioritize next steps, with a goal of simplifying your IoT security challenges.

Making your IoT provably secure can offer multiple benefits, including a shorter sales cycle and shorter time to revenue, reduced effort dealing with security questionnaires and customer audits, and provable alignment with security and privacy regulations to lessen legal and compliance risk.

Ready to start your journey to provable IoT Security? Start a conversation here

Check if Your IoT is Secure and Compliant

IoT Security Consulting and Assessments

Its promise is limitless; it continues to transform major sectors of our lives including building automation, agriculture, energy, transportation, and medicine. Its peril is nearly as limitless; necessitating new approaches to the secure design, manufacturing, deployment, use, and validation of our respective IoT footprints.

Learn More

IoT Security FAQ’s

What is IoT Security?

IoT, or The Internet of Things, refers to the billions of physical devices worldwide that are now connected to the internet, collecting and sharing data. IoT Security is the effort to secure the clouds, applications and devices that make up the IoT ecosystem.

IoT security is the ongoing process of ensuring via a cybersecurity strategy and protection mechanisms that Internet of Things (IoT) connected devices, the applications that control them, and the cloud infrastructure they communicate with are safe from cyber threats.

What is an IoT Security assessment?

An IoT Security assessment is a test performed by a qualified assessor that validates the security of one or more components of an IoT solution (e.g., cloud infrastructure, web portal and/or APIs, one or more IoT devices, and the mobile app used to configure/operate the IoT devices).

Why should I get an IoT assessment?

IoT security assessments are usually conducted by IoT device manufacturers to address key stakeholder demands:

Regulation(s) – An increasing number of regulations (e.g., CA-SB327, OR HB 2395) and good practices (e.g., OWASP ISVS, NIST 8228, ENISA, CSA IoT) necessitate testing to prove the devices meet “reasonable security” standards before it is allowed to be sold. The Presidential Executive Order directed the FTC to develop a testing program for IoT device manufacturers.
Customer(s) – Your customers (or management or a regulator) will often require proof your IoT ecosystem is properly secured. It’s essential to know what form(s) of attestation will work best for you and your customers.
Partner(s) – Cloud services like Alexa and Spotify are putting up walls and building moats around their cloud environments and requiring proof that you can leverage their services securely (often mandating that you comply with their particular requirements). If accessing third-party cloud services to extend your product ecosystem is a must, then being provably secure and compliant is a must-have.

What are IOT security challenges?

The complexity, diversity and massive interconnectedness of IoT systems make security a major concern. Some of the top IoT security challenges include:

Software and firmware vulnerabilities on IoT devices
A lack of regular patches and updates plus difficulties applying patches if they exist
Inadequate protection from direct physical attacks, such as disassembling and reverse-engineering devices
Insecure communications among IoT devices, enabling hackers to intercept data and/or take control of devices with man-in-the-middle (MitM) attacks
Malware attacks, especially to expand and spread botnets

What are IOT security standards?

IoT security standards are voluntary or regulatory standards for securing IoT devices during design and manufacturing and/or in use. Currently, IoT security standards are few and not widely applied as part of industry or government regulations. Some of the most important IoT security standards include:

The US National Institute of Standards and Technology (NIST) NISTIR 8259 series of reports, which offers guidance to IoT device manufacturers and their vendors on how to apply security best practices to the design, development, testing, sales, and support of IoT devices to customers
The NIST SP 800-213 series of documents, which addresses the needs of US federal agencies seeking to deploy IoT devices within their systems
The European Union Agency for Cybersecurity (ENISA) baseline recommendations for IoT device security
The OWASP IoT Security Verification Standard
California’s SB 327 law for IoT security, which specifically aims to protect California consumers from privacy risks associated with smart home devices

How do you ensure IOT devices are secure?

While IoT security can be highly complex, the fundamentals of information security still apply. Here are the 3 keys to IoT security:

Ensure the physical and logical security of the device
Ensure the confidentiality, integrity, and availability of data and communications in the IoT cloud/ecosystem
Ensure that IoT applications defend against known/advanced application security vulnerabilities

What are examples of IOT security vulnerabilities?

The primary types of IoT device vulnerabilities include:

Weak, guessable, or hardcoded passwords—especially popular with botnets and other malware
Insecure network services, such as open ports
Insecure ecosystem interfaces, such as poorly secure APIs
Exposed debug interfaces on the device