Ensure Your IoT Products are Secure & Compliant with Pivot Point Security

Pivot Point Security provides IoT security services to IoT device manufacturers to ensure that those devices comply with relevant guidance (e.g., CA SB-327, OWASP ISVS, ENISA) and are deployed and maintained in a secure state. Our team of security professionals will work together with yours to identify potential risks associated with your IoT infrastructure, develop strategies for mitigating those risks, and test the devices, clouds, applications, mobile applications, and partner services that are integral to your IoT ecosystem. With Pivot Point Security’s expertise in IoT security solutions, you can count on us to help you achieve a provably secure and compliant IoT security posture.

IoT Security

What is IoT Security?

IoT security is the ongoing process of ensuring that Internet of Things connected devices, and the networks they’re connected to, are safe from cyber threats.

The Internet of Things, or IoT, refers to the billions of physical devices worldwide that are now connected to the internet, collecting and sharing data. Virtually any device you can imagine is, or will eventually become, part of the IoT (e.g., planes, cars, pills, speakers, TV’s, refrigerators, insulin pumps, light bulbs). This adds a level of unimaginable digital intelligence to this “network of devices” that would be otherwise dumb, enabling them to communicate and support near-real-time automated analytics-driven decisions and actions.

Its promise is limitless; it will transform major sectors of our lives including building automation, agriculture, energy, transportation, and medicine. Its peril is nearly as limitless; necessitating new approaches to the secure design, manufacturing, deployment, use, and validation of our respective IoT footprints.

Sun Tzu once said, “If ignorant both of your enemy and yourself, you are certain to be in peril”, well said, and as true today as it was 2,500+ years ago.

IoT is an ecosystem. IoT often has three components: clouds, applications and devices. The cloud component can be complex as it often consists of networks and its own applications. At the application level, there could be a web app and/or there could be an API. At the mobile component level is a mobile app or a thick client that are used to configure and control the devices that will also consume the API(s) from the cloud. And then you’ve got the device itself and the device itself can have an embedded web server, it might have its own API. It may talk to mobile devices through the mobile app and there may be multiple devices in the ecosystem”

John Verry, Managing Partner at Pivot Point Security

How Does IoT Security Differ from Traditional Network Security?

image 12 min 1

IoT differs from conventional (human + PC) computing in four major ways:

  1. Device autonomy. Communications across the IoT are often device-to-device, taking action based on data with little to no human intervention.
  2. Use cases for endpoints. IoT devices monitor and control an almost unlimited spectrum of events across industrial processes, military technology, buildings, homes, vehicles… even the “Internet of Bodies” (IoB).
  3. Scale and complexity. Tens of billions of IoT devices generating tens of zetabytes of data daily creates a vast attack surface, plus a nearly infinite web of interoperability.
  4. Potential impact of a security event. The scale and interconnectedness of the IoT means the potential impact of a security breach of a critical IoT system could be equally massive—crippling enterprises, toppling economies or causing life-threatening catastrophes.

The 3 Fundamentals of IoT Security

Although IoT security can appear more complex (for good reason) the fundamentals of information security still directly apply in the world of IoT:

Protect the Device – Ensure the physical & logical security of the device

Need to protect:

  1. Physical Tampering – Device intrusion
  2. Physical Interfaces – USB, ethernet, serial, etc.
  3. Logical Interfaces – Zigbee, WiFi, BLE, etc.
  4. Device Security – Minimize physical access

Protect the Cloud – Ensure the Confidentiality, Integrity, & Availability of data & communications

  1. Trust, But Verify – Authenticate and authorize all communications
  2. Secure Protocols – Leverage proven approaches (eg. TLS, SSH)
  3. Encrypt – Protect data commensurate with its classification & requirements
  4. Log & Monitor – Keep in accordance with fault & security management objectives

Protect the Application(s) – Ensure they defend against advanced application security vulnerabilities

  1. Validate All Input – Server side validate all communications
  2. Solution Architecture – In accordance with regulations, best practice, & risk assessment
  3. Bake Security in SDLC – From security requirements to security certification testing
  4. Address All Modalities – API, browser, mobile, agents, & firmware

Understanding Risk in IoT Isn’t Very Different (but it is notably more important)

image 13 min

Greater Impact Requires Stronger Risk Management Processes

“Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle … “, NIST 8228

IoT Risks Are Effectively Mitigated by Strong Scoping & Risk Analysis

Well characterized risk is essential to determining where to optimally apply critical security controls to mitigate IoT risk to a reasonable, appropriate & acceptable level.

How Can You Prove Your IoT is Secure?

How can organizations demonstrate to customers, business partners, their boards and other stakeholders that their expanding IoT environments are secure and can remain so?

Some key steps to ensure IoT security include:

  • Leveraging proven frameworks for information security and privacy that encompass IoT, such as ISO 27001ISO 27701 and NIST 8259
  • Leveraging a proven web application security framework like the OWASP Application Security Verification Standard (ASVS), to protect the software on IoT devices
  • Taking advantage of expert guidance and a proven process to assess your IoT security ecosystem and prioritize next steps, with a goal of simplifying your IoT security challenges.
image 21 min

Making your IoT provably secure can offer multiple benefits, including a shorter sales cycle and shorter time to revenue, reduced effort dealing with security questionnaires and customer audits, and provable alignment with security and privacy regulations to lessen legal and compliance risk.

Ready to start your journey to provable IoT Security? Start a conversation here

IoT Security Consulting and Assessments

Its promise is limitless; it continues to transform major sectors of our lives including building automation, agriculture, energy, transportation, and medicine. Its peril is nearly as limitless; necessitating new approaches to the secure design, manufacturing, deployment, use, and validation of our respective IoT footprints.

IoT Security FAQ’s

What is IoT Security?

IoT, or The Internet of Things, refers to the billions of physical devices worldwide that are now connected to the internet, collecting and sharing data. IoT Security is the effort to secure the clouds, applications and devices that make up the IoT ecosystem.

What is an IoT Security assessment?

An IoT Security assessment is a test performed by a qualified assessor that validates the security of one or more components of an IoT solution (e.g., cloud infrastructure, web portal and/or APIs, one or more IoT devices, and the mobile app used to configure/operate the IoT devices).

Why should I get an IoT assessment?

IoT security assessments are usually conducted by IoT device manufacturers to address key stakeholder demands:

  • Regulation(s) – An increasing number of regulations (e.g., CA-SB327, OR HB 2395) and good practices (e.g., OWASP ISVS, NIST 8228, ENISA, CSA IoT) necessitate testing to prove the devices meet “reasonable security” standards before it is allowed to be sold. The Presidential Executive Order directed the FTC to develop a testing program for IoT device manufacturers.
  • Customer(s) – Your customers (or management or a regulator) will often require proof your IoT ecosystem is properly secured. It’s essential to know what form(s) of attestation will work best for you and your customers.
  • Partner(s) – Cloud services like Alexa and Spotify are putting up walls and building moats around their cloud environments and requiring proof that you can leverage their services securely (often mandating that you comply with their particular requirements). If accessing third-party cloud services to extend your product ecosystem is a must, then being provably secure and compliant is a must-have.

What is IOT security?

IoT security is the ongoing process of ensuring via a cybersecurity strategy and protection mechanisms that Internet of Things (IoT) connected devices, the applications that control them, and the cloud infrastructure they communicate with are safe from cyber threats.

What are IOT security challenges?

The complexity, diversity and massive interconnectedness of IoT systems make security a major concern. Some of the top IoT security challenges include:

  • Software and firmware vulnerabilities on IoT devices
  • A lack of regular patches and updates plus difficulties applying patches if they exist
  • Inadequate protection from direct physical attacks, such as disassembling and reverse-engineering devices
  • Insecure communications among IoT devices, enabling hackers to intercept data and/or take control of devices with man-in-the-middle (MitM) attacks
  • Malware attacks, especially to expand and spread botnets

What are IOT security standards?

IoT security standards are voluntary or regulatory standards for securing IoT devices during design and manufacturing and/or in use. Currently, IoT security standards are few and not widely applied as part of industry or government regulations. Some of the most important IoT security standards include:

  • The US National Institute of Standards and Technology (NIST) NISTIR 8259 series of reports, which offers guidance to IoT device manufacturers and their vendors on how to apply security best practices to the design, development, testing, sales, and support of IoT devices to customers
  • The NIST SP 800-213 series of documents, which addresses the needs of US federal agencies seeking to deploy IoT devices within their systems
  • The European Union Agency for Cybersecurity (ENISA) baseline recommendations for IoT device security
  • The OWASP IoT Security Verification Standard
  • California’s SB 327 law for IoT security, which specifically aims to protect California consumers from privacy risks associated with smart home devices

How do you ensure IOT devices are secure?

While IoT security can be highly complex, the fundamentals of information security still apply. Here are the 3 keys to IoT security:

  1. Ensure the physical and logical security of the device
  2. Ensure the confidentiality, integrity, and availability of data and communications in the IoT cloud/ecosystem
  3. Ensure that IoT applications defend against known/advanced application security vulnerabilities

What are examples of IOT security vulnerabilities?

The primary types of IoT device vulnerabilities include:

  • Weak, guessable, or hardcoded passwords—especially popular with botnets and other malware
  • Insecure network services, such as open ports
  • Insecure ecosystem interfaces, such as poorly secure APIs
  • Exposed debug interfaces on the device