Building a Framework for IoT Security Compliance

The IoT Security Foundation is a “vendor-neutral, international initiative aspiring to be the expert resource for sharing knowledge, best practices and advice.” Those resources include the best practice guides, one of which is “IoT Security Compliance Framework.” The first version of the framework covers consumer products and markets, but future iterations will cover several other categories, such as medical, automotive and critical infrastructure.

“The IoT is the next evolutionary wave of the internet and, with dwindling costs of technology and low barriers to entry, new products are flooding the market,” declared John Moor, managing director of the IoT Security Foundation. The internet of things extends to all kinds of new wearables, as well as connected appliances and smart toys.

The toy category has already raised data privacy concerns, but all types of businesses have to think about privacy issues when designing anything that connects to the internet. What is first hailed as “the ‘internet of treats,'” Moor explains, can easily develop into “the ‘internet of threats’ if these new products do not have sufficient security capabilities.”

The question is, What is sufficient security? That’s a question the framework seeks to answer with a checklist for users. It lists a range of product categories and defines the recommended class of compliance for each one, depending on the potential security loss that can result from the product.

The compliance classes range from zero for data breaches that would have “little discernible impact” to four for breaches of sensitive data that have “the potential to affect critical infrastructure or cause personal injury.”

Levels of Integrity, Availability and Confidentiality

The framework sets out the compliance class, along with the corresponding levels of integrity, availability and confidentiality required. For example, class 0 requires only basic levels, while class 4 calls for high levels.

In between those levels, you get a mix, such as medium level integrity and availability combined with a basic confidentiality level for class 1. Or you could have medium level integrity combined with high levels for availability and confidentiality for class 3.

The framework also distinguishes between what is “mandatory” (a requirement considered “vital to secure the product category,” for anything in class 2 or above compliance) and merely “advisory” (allows for deviating from the requirements if “there are sound product reasons”). However, that is not to be taken as carte blanche for applying one’s own discretion.

The framework stipulates that opting out for something under the advisory category is to be documented, along with the justification. Complying with the guidelines set forth in this framework entitles businesses to download and display badges from the organization as a sign of their self-certified status, which they likely would have to update as new iterations of the framework come out.

Pamela Gupta, president of Outsecure and chair of the self-certification working group, explained that the “IoT is very broad and its security is not only context-dependent, it is also evolving on a daily basis. Given the immediate requirement and future objectives of the self-certification scheme, we concluded that we needed to establish a risk-based framework, which could then be built upon and updated to address emerging risks and requirements.”