< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27400:2022 — Cybersecurity — IoT security and privacy — Guidelines
The standard provides guidance on the principles, [information] risks, and the corresponding information security and privacy controls to mitigate those risks for the Internet of Things.
The standard is specific to IoT, covering both information security and privacy.
Purpose and justification
Insecure things can impact security and privacy in ways that differ from more conventional IT systems (e.g. desktops, laptops and servers). Therefore, appropriate security and privacy controls are needed to mitigate unacceptable risks.
Things can be considered both as discrete electronic devices, and as components in larger, more complex ‘ecosystems’ potentially including:
- The operating systems and applications they run, delivering various services;
- The network infrastructure (personal, local and wide area networks);
- The physical world with which they interact through sensors and actuators;
- The people who specify, acquire, configure, use and manage them;
- The organisations that design and manufacture, use/operate and manage them;
- Society at large since things are ‘everywhere’.
Challenges and information risks in the context of IoT include:
- Huge variety, innovation and ubiquity with things penetrating ever deeper into our businesses, homes, vehicles and lives;
- Vulnerabilities in the systems, applications and networks, plus the associated processes and activities (e.g. simply compiling, let alone maintaining and using, an inventory of things is tricky and costly - as we discovered during the Y2k crisis);
- Threats, both deliberate (e.g. hackers and malware) and natural (e.g. adverse physical operating conditions, power cuts, static discharge, design flaws, bugs/coding errors, user accidents and ineptitude);
- Impacts, potentially including safety hazards and property damage as well as the usual information security and privacy incidents (e.g. data corruption, disclosure, loss);
- Lifecycle implications (e.g. cheap, disposable, unmanaged and/or deeply embedded things may hang around for years and are unlikely to be supported or patched, ever);
- Ordinary users may not have an interest in or understand the security and privacy of their things, while even IT professionals may not have the time, leaving fit-and-forget things largely unmanaged, unmonitored and unmaintained;
- Concerns around interoperability, interaction and dependencies between things, and with other networked devices;
- Individually, most things have limited functionality, accessibility (e.g. minimalist human-machine interfaces) and computing performance (e.g. little processing and storage capacity);
- Mobility, dynamics and complexity verging on chaos and anarchy;
- Applications/use cases and situations may not have been anticipated by their designers/manufacturers (e.g. when things are re-purposed, combined or customised for novel applications);
- Things may change hands over time, affecting the context and raising the possibility of insecure configurations and inappropriate disclosure of stored information (e.g. when casually sold-on, lost or discarded).
IoT designers/manufacturers and users, both individuals and organisations, may be oblivious to the information risks and appropriate/necessary controls, hence the standard (and this website!) has a role in raising awareness and trustworthiness, driving up maturity on both the supply (vendor) and the demand (customer) sides.
Status of the standard
The first edition of ISO/IEC 27400 was published in June 2022.
The standard strikes me as idealistic - a stretch goal for the IoT market as a whole. It may get traction in the area of industrial and safety-critical IoT. As to consumer grade things, it’s hard to predict much progress on security and privacy given the cost constraints and present lack of demand - a classic example of the need for pragmatic standards.
The standard identifies some generic ‘risk sources’ and ‘risk scenarios’ relevant to IoT, essentially a selection of examples for consideration. I have some concerns about the selection and the wording, and the lack of direct linkages between the IoT security controls recommended elsewhere in the standard and the identified risks that they are presumably intended to mitigate. However, discussing relevant [information] risks in an ISO27k standard is, I feel, a positive move in its own right. Most ISO27k standards leap directly to recommending a bunch of information security controls, barely even mentioning the information risks. This standard goes a step beyond the “Just do this:” style, albeit a small step. It’s a start, a prompt for users of the standards to identify, consider and evaluate the information risks in their own contexts.
I just hope the [information] risk-aligned approach spreads to all the ISO27k standards in due course ... although so far I’ve seen no hint of strategic intent expressed by SC 27. Sometimes I wonder if anyone reads this stuff.
< Previous standard ^ Up a level ^ Next standard >