ISO/IEC 27400 — Cybersecurity — IoT security and privacy — Guidelines [DRAFT]
The standard will provide guidance on the principles, [information] risk and controls for IoT security and privacy.
The standard will be specific to IoT, covering both information security and privacy.
Purpose and justification
[The following is my interpretation of the project brief, with several changes ...]
IoT things may interconnect and connect to the Internet. Insecure things may impact security and privacy, in ways that differ from more conventional IT systems (e.g. desktops, laptops and servers). Therefore, appropriate security and privacy controls are necessary. The standard will provide security and privacy guidance for “an IoT system/service/solution” (whatever that means!). The standard may also cover “trustworthiness” and will hopefully align with other IoT standards.
Issues [information risks] to be addressed by the standard include:
- Broad extent and nature of impacts, potentially including safety issues and property damage;
- Long lifecycle of [some] things [some are cheap and disposable, anticipating short lifecycles ... but who knows how long they will remain in service? Version control and change management (e.g. patching) are further issues with IoT];
- [Due in part to a lack of standardization] there are difficulties in monitoring and managing things, hence some (many!) are [likely to remain] unmanaged;
- Concerns around interoperability and interaction between things, and with other networked devices;
- Things have limited functionality and performance [capability and capacity];
- Possible connections to/uses of things which were not anticipated by their designers/manufacturers;
- Owners/users of things may change over time [hence the context or situation in which things are used may change - as with conventional IT!].
IoT designers/manufacturers and users, both individuals and corporates, may be oblivious to the information risks and expected/necessary controls, hence this standard (and this website!) has a role in raising awareness and driving maturity on both the supply and the demand sides.
Status of the standard
Currently at 2nd Committee Draft stage, due to be published in 2022.
This standard, numbered ISO/IEC 27030 during drafting, is likely to be published as ISO/IEC 27400 alongside other IoT security and privacy standards currently in preparation.
I’m pleased to note the intention to elaborate on the [information] risks associated with IoT. Although the analysis will necessarily be generic, it should provide a useful prompt for users of the standard to consider their specific IoT-related information risks, and should form a rational basis for the selection of security and privacy controls (and perhaps other risk treatments) described in the standard. At least, I hope so. I hope to provide input to the project ... starting with my ‘interpretation’ of the brief above, and an initial elaboration on the IoT-related information risks:
Obsolescence is an obvious issue with all new technologies, especially in such a rapidly evolving field as IoT. Organizations (manufacturers and consumers) that commit to particular IoT technical architectures, networking protocols etc. today risk legacy problems down the line, especially if they fail to comply with applicable, well-respected standards.
Accidental damage, loss or casual theft are particular concerns when things are physically located or exposed in hostile environments.
Jailbroken things are an example of inappropriate configuration changes made by naive users, with security and privacy impacts that they probably don’t appreciate.
IoT is changing human society in ways that are hard to predict. Within organizations, IoT, cloud computing, BYOD etc. are often associated with the rise of ‘shadow IT’, no longer entirely managed and controlled entirely by the corporate IT department, with several associated information risks e.g. naïve adoption of insecure and inappropriate technologies; stress and fragmentation of the IT infrastructure. At a broader level, increasingly independent and mobile IT systems (and workers!) are harder to locate, authenticate, monitor, direct and control.
Depending on one’s perspective, surveillance may be a valuable application of IoT or a massive privacy threat – it’s a dual-use technology. Proliferating things generate huge volumes of valuable yet often personal information: controlling it is vital to avoid issues.
Critical infrastructure incidents have potentially catastrophic impacts. At a national level, things are increasingly being used to monitor and control electrical power grids, for instance, while organizations have their own critical corporate infrastructure risks. Given their interconnectedness and interdependence, even simple technology failures in critical infrastructure (including design flaws) could easily cause disruption (cascading failure for instance), while deliberate and widespread malware or hacker attacks could be devastating. As the Stuxnet incident demonstrated, even air-gapping critical systems does not totally guarantee their security.
Malware ranging from commonplace to highly sophisticated (such as Advanced Persistent Threats) forms a band of risk across the amber zone on the graphic.
The standard might usefully address the other yellow and green-zone information risks shown, plus others that we have undoubtedly missed in this analysis.
Some other perspectives on IoT-related [information] risks:
- ISACA is concerned about always-on ubiquitous computing, plus compliance and safety risks.
- Deloitte warns of ‘exponentially increasing cyber risks’ due to the proliferation of both IoT things and information shared, and raises the intriguing if vague prospect of decentralized risk management, somehow mirroring decentralized computing.
- KPMG talks of IoT risks arising from the ‘ecosystem and use cases’ (i.e. the organizational and personal context in which things are operated and used, such as smart TVs spying on the Board Room) in addition to risks associated with the things themselves, with the possibility of using smart things to smarten-up information security. They emphasize unpredictability of the risks due to rapid innovation in the technology and how things are being used ... which hints at the need for incident detection, management and contingency arrangements as well as preventive controls. [A recent news story about Fitbits disclosing the whereabouts of military personnel running near their bases is an example of a novel IoT risk.]
- Rick brings up the notion of IoT-based DDoS attacks using things as widely-distributed insecure attack platforms.
Aside from the information risks, there are various opportunities arising from or relating to IoT, potentially even information and physical security advantages (e.g. the legitimate, authorized and entirely appropriate use of surveillance, monitoring, intruder detection, authentication, tracking, audit trails etc.). Provided they are adequately secured, the capabilities and features of IoT things may support, enable and enhance security, privacy and safety in various ways:
- Being self-contained, perhaps autonomous, things are to some extent capable of operating off-grid, when power, networks and other infrastructure services are compromised or unavailable;
- ‘Security robots’ and the like are things with significant potential as security guards, incident responders etc.;
- Networking and collaboration between things forming the white-hat equivalent of botnets, perhaps monitoring and responding to security threats as a team effort - widely dispersed defenses (leading no doubt to the IoT equivalent of robot wars!);
- Physical dispersal, mobility/portability and physical hardening makes things less vulnerable to/more capable of surviving potentially disastrous physical incidents (for those not at the epicentre anyway!);
- Their limited processing and storage capacity and minimalist user interfaces reduces the possibility of sophisticated malware infections and hacks on basic things themselves ... although more conventional IoT administrative and management software remains vulnerable;
- Simplicity of form and function makes individual things easier to secure than multipurpose systems such as desktops and servers, although the greater ‘system’ comprised of a multitude of things interacting dynamically and to an extent unpredictably via various networks simply shifts the complexity and hence security issues, adding yet more risk;
- More advanced things can supplement/enhance or even replace human capabilities e.g. safer roads thanks to autonomous vehicles, smart road signs, smart/adaptive armour etc.;
- Low cost means things may be treated as disposable-and-replaceable rather than updateable, reducing the need for patching and long lifecycle management;
- There are likely to be further innovative security-related applications of IoT technologies.
< Previous standard ^ Up a level ^ Next standard >