Needless to say, the Internet of Things has taken off and become more widespread. Connected devices in homes and buildings enable automation and data collection that enhances business intelligence as well as the user experience.
However, with IoT comes certain negative consequences, the biggest of which is cyberattacks on connected devices. The Botnet attacks at the end of last year spoke volumes of the immense risk that poorly designed connected devices are subject to.
With cybersecurity for networked devices becoming more important than ever, the Online Trust Alliance (OTA) published its latest version of “The IoT Trust Framework,” a set of guidelines to help vendors design devices that are secure and more effective at countering cyberattacks.
“These updates incorporate key learnings from field testing, the evolving threat landscape and feedback from industry leaders and related efforts. Core to addressing the inherent security risks and privacy issues is the application of the principles to the entire device solution. These include the device or sensor, the supporting applications, and the backend/cloud services,” the paper said. “Serving as a risk assessment guide for developers, purchasers and retailers, the Framework is the foundation for future IoT certification programs. It is the goal of OTA to post and highlight devices which meet these standards to help consumers, as well as the public and private sectors, make informed purchasing decisions.”
The guide is divided into four categories – security principles, user access and credentials, privacy, disclosures and transparency, and notifications and related best practices – with must-dos and recommendations for each category. Below are some of the main points that the OTA listed in each category.
Security principles
- All personally identifiable data in transit and in storage must be encrypted using current, generally accepted security standards.
- All IoT support web sites must fully encrypt the user session, from the device to the backend services.
- Establish coordinated vulnerability disclosure, including processes and systems, to receive, track and promptly respond to external vulnerabilities reports from third parties including but not limited to customers, consumers, academia and the research community.
- Must have a mechanism for automated safe and secure methods to provide software and/or firmware updates, patches and revisions.
Access and credentials
- Include strong authentication by default, including providing unique, system-generated or single use passwords, or alternatively use secure certificate credentials.
- Provide generally accepted recovery mechanisms for IoT application(s) and support passwords and/or mechanisms for credential re-set using multi-factor verification and authentication (email and phone, etc.) where no user password exists.
- Take steps to protect against “brute force” and/or other abusive login attempts by locking or disabling user and device support account(s) after a reasonable number of invalid log in attempts.
Privacy, disclosures and transparency
- Ensure privacy, security, and support policies are easily discoverable, clear and readily available for review prior to purchase, activation, download, or enrollment.
- Conspicuously disclose what personally identifiable and sensitive data types and attributes are collected and how they are used.
- Disclose the data retention policy and duration of personally identifiable information stored.
- Only share consumers’ personal data with third parties with consumers’ affirmative consent, unless required.
Among other best practices listed by OTA are adoptions of authentication protocols for end-user communications, including but not limited to email and SMS, to help prevent spear phishing and spoofing; and enacting a breach and cyber response and consumer notification plan to be reevaluated, tested and updated at least annually.