Pivot Point Security provides IoT security services to IoT device manufacturers to ensure that those devices comply with relevant guidance (e.g., CA SB-327, OWASP ISVS, ENISA) and are deployed and maintained in a secure state. Our team of security professionals will work together with yours to identify potential risks associated with your IoT infrastructure, develop strategies for mitigating those risks, and test the devices, clouds, applications, mobile applications, and partner services that are integral to your IoT ecosystem. With Pivot Point Security’s expertise in IoT security solutions, you can count on us to help you achieve a provably secure and compliant IoT security posture.
What is IoT Security?
IoT security is the ongoing process of ensuring that Internet of Things connected devices, and the networks they’re connected to, are safe from cyber threats.
The Internet of Things, or IoT, refers to the billions of physical devices worldwide that are now connected to the internet, collecting and sharing data. Virtually any device you can imagine is, or will eventually become, part of the IoT (e.g., planes, cars, pills, speakers, TV’s, refrigerators, insulin pumps, light bulbs). This adds a level of unimaginable digital intelligence to this “network of devices” that would be otherwise dumb, enabling them to communicate and support near-real-time automated analytics-driven decisions and actions.
Its promise is limitless; it will transform major sectors of our lives including building automation, agriculture, energy, transportation, and medicine. Its peril is nearly as limitless; necessitating new approaches to the secure design, manufacturing, deployment, use, and validation of our respective IoT footprints.
Sun Tzu once said, “If ignorant both of your enemy and yourself, you are certain to be in peril”, well said, and as true today as it was 2,500+ years ago.
IoT is an ecosystem. IoT often has three components: clouds, applications and devices. The cloud component can be complex as it often consists of networks and its own applications. At the application level, there could be a web app and/or there could be an API. At the mobile component level is a mobile app or a thick client that are used to configure and control the devices that will also consume the API(s) from the cloud. And then you’ve got the device itself and the device itself can have an embedded web server, it might have its own API. It may talk to mobile devices through the mobile app and there may be multiple devices in the ecosystem”
John Verry, Managing Partner at Pivot Point Security
How Does IoT Security Differ from Traditional Network Security?
IoT differs from conventional (human + PC) computing in four major ways:
- Device autonomy. Communications across the IoT are often device-to-device, taking action based on data with little to no human intervention.
- Use cases for endpoints. IoT devices monitor and control an almost unlimited spectrum of events across industrial processes, military technology, buildings, homes, vehicles… even the “Internet of Bodies” (IoB).
- Scale and complexity. Tens of billions of IoT devices generating tens of zetabytes of data daily creates a vast attack surface, plus a nearly infinite web of interoperability.
- Potential impact of a security event. The scale and interconnectedness of the IoT means the potential impact of a security breach of a critical IoT system could be equally massive—crippling enterprises, toppling economies or causing life-threatening catastrophes.
The 3 Fundamentals of IoT Security
Although IoT security can appear more complex (for good reason) the fundamentals of information security still directly apply in the world of IoT:
Protect the Device – Ensure the physical & logical security of the device
Need to protect:
- Physical Tampering – Device intrusion
- Physical Interfaces – USB, ethernet, serial, etc.
- Logical Interfaces – Zigbee, WiFi, BLE, etc.
- Device Security – Minimize physical access
Protect the Cloud – Ensure the Confidentiality, Integrity, & Availability of data & communications
- Trust, But Verify – Authenticate and authorize all communications
- Secure Protocols – Leverage proven approaches (eg. TLS, SSH)
- Encrypt – Protect data commensurate with its classification & requirements
- Log & Monitor – Keep in accordance with fault & security management objectives
Protect the Application(s) – Ensure they defend against advanced application security vulnerabilities
- Validate All Input – Server side validate all communications
- Solution Architecture – In accordance with regulations, best practice, & risk assessment
- Bake Security in SDLC – From security requirements to security certification testing
- Address All Modalities – API, browser, mobile, agents, & firmware
Understanding Risk in IoT Isn’t Very Different (but it is notably more important)
Greater Impact Requires Stronger Risk Management Processes
“Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle … “, NIST 8228
IoT Risks Are Effectively Mitigated by Strong Scoping & Risk Analysis
Well characterized risk is essential to determining where to optimally apply critical security controls to mitigate IoT risk to a reasonable, appropriate & acceptable level.
How Can You Prove Your IoT is Secure?
How can organizations demonstrate to customers, business partners, their boards and other stakeholders that their expanding IoT environments are secure and can remain so?
Some key steps to ensure IoT security include:
- Leveraging proven frameworks for information security and privacy that encompass IoT, such as ISO 27001, ISO 27701 and NIST 8259
- Leveraging a proven web application security framework like the OWASP Application Security Verification Standard (ASVS), to protect the software on IoT devices
- Taking advantage of expert guidance and a proven process to assess your IoT security ecosystem and prioritize next steps, with a goal of simplifying your IoT security challenges.
Making your IoT provably secure can offer multiple benefits, including a shorter sales cycle and shorter time to revenue, reduced effort dealing with security questionnaires and customer audits, and provable alignment with security and privacy regulations to lessen legal and compliance risk.
Ready to start your journey to provable IoT Security? Start a conversation here
IoT Security Consulting and Assessments
Its promise is limitless; it continues to transform major sectors of our lives including building automation, agriculture, energy, transportation, and medicine. Its peril is nearly as limitless; necessitating new approaches to the secure design, manufacturing, deployment, use, and validation of our respective IoT footprints.
IoT Security FAQ’s
IoT, or The Internet of Things, refers to the billions of physical devices worldwide that are now connected to the internet, collecting and sharing data. IoT Security is the effort to secure the clouds, applications and devices that make up the IoT ecosystem.
An IoT Security assessment is a test performed by a qualified assessor that validates the security of one or more components of an IoT solution (e.g., cloud infrastructure, web portal and/or APIs, one or more IoT devices, and the mobile app used to configure/operate the IoT devices).
IoT security assessments are usually conducted by IoT device manufacturers to address key stakeholder demands:
- Regulation(s) – An increasing number of regulations (e.g., CA-SB327, OR HB 2395) and good practices (e.g., OWASP ISVS, NIST 8228, ENISA, CSA IoT) necessitate testing to prove the devices meet “reasonable security” standards before it is allowed to be sold. The Presidential Executive Order directed the FTC to develop a testing program for IoT device manufacturers.
- Customer(s) – Your customers (or management or a regulator) will often require proof your IoT ecosystem is properly secured. It’s essential to know what form(s) of attestation will work best for you and your customers.
- Partner(s) – Cloud services like Alexa and Spotify are putting up walls and building moats around their cloud environments and requiring proof that you can leverage their services securely (often mandating that you comply with their particular requirements). If accessing third-party cloud services to extend your product ecosystem is a must, then being provably secure and compliant is a must-have.