My friend Eric Morley, owner of Big Frog Custom T-Shirts in Woodbury MN is a frequent and thought-provoking responder to articles that I post on my weblog. Recently, he asked: “Hey Bob, are you aware of any rating systems on IoT devices? I’d love to be able to review the security of these devices, and make buying decisions based on their end to end security/privacy ratings. Like many, I probably have 5 different brands of products connected to my smart home. Tracking the security and privacy of each is tough. “Don’t use them” is just not a thing, because I love the functionality! Or, maybe some best practices for using a connected home more safely?”
The short answer is “No.” Or maybe “only in Finland.” (Keep reading.) There are no companies in the US providing a comprehensive and systematic review of IoT devices and cybersecurity.
The first ideas that came to mind were perhaps Consumer’s Report or Underwriters Laboratory might be attempting to rate IoT devices. The Underwriter Labs (UL) site appeared to hold promise, they do have a smart device inter-operability page. They seems to be most interested in who well these devices play with each other over the different communications standards such as Zibee, Bluetooth, and Wi-Fi. Unfortunately, it does not appear the are looking at security at this time.
Consumer Reports does not appear to be reviewing IoT cybersecurity either, although they have a great article that gives good advice, they do not appear to be actively rating the security of these IoT devices.
An email from SecureWorld had a story about how leaders at the National Cyber Security Centre (NCSC-FI) in Finland are taking up this role. They are testing IoT products for security and awarding a badge of approval to those products that meet their standards. According to the article, the standards are:
- Manufacturers must share key security features of the product or service and its associated ecosystem.
- IoT makers must provide information on safe use and the duration of the security support provided.
- The device’s access control must be discussed: passwords, certificates, or third-party authentication methods.
- Software security: what does the device have and how will it be kept up to date?
- Privacy policy: the device maker must reveal the purposes of data collection and whom is collecting the data.
- How is the smart device handling data transfer and storage: authentication, encryption, and key management practices?
- Security of web interfaces: IoT devices must minimize unnecessary online services and comply with the minimum rights principles. (Essentially, least privilege. If something does not need access to the device, it should not have that access.)
- Safe default settings: these settings must be designed to protect the user by default. This is the opposite of what is happening now, in most cases.
Perhaps we can get something like this going in the United States? Maybe from the department of Homeland Security, or NIST. Or maybe there is an independent organization out there that is looking to take on this important challenge. If you are aware of such an organization, please provide a comment, below.
More information:
- SecureWorld -This Country Created a ‘Cybersecurity Seal of Approval’ for Smart Devices
- Underwriters Laboratory
- Consumer Reports – How Internet of Things Companies Can Fix Their Security Mess
- Finland cybersecurity approval website
DEC
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com