After attending the latest meeting of IEC SC 41 and ITU SG20 meetings recently in Japan and China. I am still surprized that many are still unsure how to determine the risk of a IoT solution. One thing that complicates matters is this concept of System-of-Systems (SoS) for IoT. If you break it down most IoT solutions are a SoS. The device is full fledged system that includes HW/SW, OS, server, application at a minimum. Then consider there is mobile application and cloud hosting for data and application layers.
The first place to start is quantifying the risk. Risk from the aspect of if this system was compromise what impact might that have to your organization using or deploy it? This might include:
a. Can the device or service be weaponized due to weak design or lack of formal testing and design?
b. Does the system at any level store Personally Identifiable Information (PII) that has very specific regulations in many jurisdictions?
c. Does the vendor have a Secure Development Lifecycle (SDLC)?
d. Does the vendor have company policies and procedures that include developing a secure product? This aspect can many other aspects that need to be considered including privacy by design, audit process, risk registry, etc. Security is an ongoign process so this should be easily proven by the way the organization operates and deals with security.
e. Only use products that can be validated as authentic no grey market goods.
f. Have your solution verified by a 3rd party provider who is certified in conducting formal audits on these solutions.
e. Ensure that any penetration testing that was conducted included all components not just the device.
As a footnote please keep following ISO 27030 Security and Privacy in IoT, and IEC 30149 Trustworthiness Framework as two key works that will aid industry and buyer of IoT solutions. These two projects will help to drive the requirements that should be considered by vendors and help in the assessment of solution comparisons based on security and privacy features.