Security Experts: IoT Guidelines Come Up ShortSingapore Provides Guidance, But Some Want to See More Specifics
Singapore's Infocomm Media Development Authority last week issued a new consultation paper with an aim to instill greater confidence in the use of IoT systems, which have been mired with concerns around cybersecurity (see: Japan's IoT Security Strategy: Break Into Devices).
"This guide lists baseline recommendations and provides checklists, assisting users to secure IoT systems against unintentional and malicious threats for the acquisition, operation and maintenance of the systems," says Janil Puthucheary, senior minister of state for communications and information.
But some security experts say the report comes up short, with recommendations that are too generic.
"IMDA wants to help users bridge the security gap by using traditional security approach and techniques," says Aloysius Cheang, board director and executive vice president for Asia Pacific at the Centre for Strategic Cyberspace + Security Science, a U.K. think tank. "While doing this helps to fast track users to understand and address IoT security issues by adopting the framework proposed, the problem is these security guidelines are not purpose built for IoT."
What IMDA Recommends
The guidelines are intended to help organizations systematically assess the security of their IoT systems. IMDA's recommendations include:
Secure by default: During the implementation phase, IMDA recommends that products and solutions employ only current industry-accepted cryptographic techniques and applicable best practices. The authority also recommends that organizations check for authenticity and ensure devices are protected from disclosure and modifications by unauthorized parties. It also recommends that organizations use strong passwords.
Rigor in defense: IMDA recommends segregation of IoT and enterprise networks. Network segmentation should be employed so that IoT devices belonging to different networks can be properly segregated from one another and also from other corporate enterprise systems and networks, the authority says. Firewalls and malware mitigation solutions should be implemented to protect each network whenever possible, it recommends.
IMDA also recommends that during the design stage of an IoT project, organizations should conduct threat modeling based on the intended use of IoT devices in their operating environment.
The authority says organizations should also establish a "hardware root-of-trust" - a tamper-protected hardware module that stores and protects the keys of the devices to provide a firm foundation for other security mechanisms to build upon, hence achieving higher assurance of security.
Accountability: During the implementation phase, the authority says, organizations should focus on enforcing proper access controls.
"Access to system resources shall be controlled and managed throughout its life cycles, minimizing opportunities for malicious actors," it says. Although IoT users and IoT providers may be dependent on developers to provide timely patches for new vulnerabilities, IMDA recommends that a proper framework or workflow be established for device management.
Resiliency: IMDA emphasizes that organizations must prepare to protect the IoT ecosystem against attacks, even during the implementation stage. "Firewalls and anti-malware software should be employed to prevent, detect, identify, stop and remove malicious software, especially known ones. The system should have audit log capability that records all attempts at accessing or altering system resources," the IMDA paper states.
IMDA also recommends that organizations make regular backups of system data as well as undergo disaster recovery exercises.
Cheang describes why he believes the paper offers recommendations that are far too general.
The paper "never really addresses mass rollout or implementation of a myriad of IoT devices," he says. "It does not answer questions like: How does one manage registration of a new device, its access rights within virtual environment of an organization or deregistration of device? I hope they come out with a good definition of the kind of functions that a good IoT device management platform should have."
IoT security issues can vary widely from one business sector to another, says Vinod Kumar, CEO at Subex, a telecom analytics solution provider.
"While some sort of standardization is helpful, one cannot ignore that different industries will have different security standards and issues," he says. "We can't have the same security recommendation for a consumer-facing IoT product and IoT products linked to critical infrastructure. Different checklists with different emphasis on the usage scenarios would be a great addition."
Security by Design
The government should work with original equipment manufacturers as well as original design manufacturers to help ensure they take a "security by design" approach to developing IOT devices, Cheang says.
"The fact is that 90 percent of equipment manufacturers and design manufacturers are from China and Taiwan," he says. "We all keep complaining of China installing secret backdoors in their equipment. Under such circumstances, won't it be better if a model can be worked out where users, ODMs and national security agencies can work together to better protect our sensitive data online?"
To improve its guidance, IMDA should work closely with IOT researchers to get a better understanding of top security concerns, Kumar recommends.
"IoT is a different ball game altogether," he says. "Yes, the basic security practices will hold good, but you need much more than that. If we indeed want future IoT products to be safer, we need to move beyond basic level security practices."