The last few months have been hectic as many of the standards groups are pushing to get security and privacy aspects of IoT under control. As we get ready to whine down the year lets look at where we are:
a. ISO/IEC 27030 IoT Security and Privacy – This standard has now moved to Committee Draft (CD) and as the editor I am really proud of my editing team and global experts to get us her rather quickly. I believe this international standard will set the bar for IoT products globally and is highly anticipated by many groups and organizations globally.
b. ISO/IEC 27042 IoT Basline – This standard is currently a New Work Item Proposal (NWIP) and will be going to voting in the next few months. This is the result of a Adhoc Group that studied this and determined that we need a baseline for vendors who are entering the IoT product field. The goal is that this would be just a starting point and not the finish line for securing the product and organization but would provide regulators the guidance they need for products.
c. IoT Platform is group that has developed as result of work completed by the Internet Society in Canada. As a result of this work, a platform of regulators has formed and continues to expand how to ensure that IoT products are secure both now and in the future. As a result of this many nations will be making formal announcements to aspects that products should have. In Canada this has posted by Office of Consumer Affairs (OCA) and details are located here. I believe that this is good starting point but an hope that vendors will realized these aspects alone do not make a secure product that only happens when security and privacy become an embedded part of the organization and is driven into the development processes. I also hope that our regulators hold vendors to a higher sense of responsibility for security and products going forward.
d. CSA T200 has been released as an Express Standard and over the next 24 months we hope to develop the final version that will be used as the baseline for products and organizations in Canada and the US for meeting or exceeding regulatory requirements for IoT products. In the future we are looking for the implementation of a cyber label on products for security. More to come on this in the future.
e. IEC 30149 IoT Trustworthiness is still very much a work in progress as many experts are still trying to determine what consitutes trust. While one faction believes it is result of SDLC, I am very much of the opinion that this is not the case but view of the organization that includes the development processes. The approach must be based on an approach such as ISO 42010 that will allow any organization to determine the specific attributes to trust for their company and products being developed.
Here is the content for the IoT Checklist:
1. Ask how the device is collecting, using, and sharing your data
- Is the device collecting my data? How is the device collecting my data?
- Is the device using my data? How is the device using my data?
- Is the device sharing my data? How is the device sharing my data?
- With whom is the device sharing my data?
- Is the device collecting data I do not want shared, such as my location?
- Is there an option for me to opt out of the device collecting, sharing or using my data?
- Will I be able to opt out of additional or future features that collect data, without opting out of security updates?
2. Ask about the device’s lifecycle, if it can function offline, and if there is product support available
- How long can I expect the device to work?
- How long are security patches and upgrades expected to be available for this product?
- What kind of support is available should I experience problems with the device or suspect the device has been compromised?
- Will the device work without an Internet connection? Can I use the product if the Internet is down? What features work offline?
- Will the device work if the manufacturer ceases to exist?
3. Ask if the device you are buying is from a reputable manufacturer
- Does the company have a good track record when it comes to protecting its customers’ privacy and security?
- Check for media coverage online about whether or not this company has experienced a security breach in the past. If so, what was the impact on its consumers? What measures did the company take to prevent future security breaches?
- Are there independent user reviews of the product I can consult?
For more tips on how to approach a business or manufacturer about your privacy and security concerns, check out this tip sheet.
Lots of progress this past year and lots more to come. I do see a shift that regulators globally are moving towards requirements for IoT companies. I hope it is a wake up call for vendors that due to the lack of security controls and the growing attack surface that IoT vendors will see a day where their products will undergo formal testing and evaluation to enter certain markets globally.