More Than 1,000 IoT Security Guidelines: Which One to Use?Study Suggests Actionable Recommendations Would Improve IoT Security
The concern over the security risks posed by connected devices has prompted widespread efforts by standards bodies, governments and industry groups to create guidelines for best practices.
The result has been the creation of far more guidelines and documents than anyone could reasonably ingest. Researchers at Carleton University in Canada have counted 1,014.
But what does a best practice actually mean?
Christopher Bellman, a computer science doctoral student at Carleton, and Paul C. van Oorschot, a professor of computer science, examined the guideline documents. In a research paper, they conclude that terms such as best practices, recommendations, requirements and guidelines were often used interchangeably.
"The wording we use - it is important," Bellman says. "These things have different meanings, and we're using them interchangeably. So there's a lot of confusion and ambiguity in exactly what we mean with regard to what we want done with security. That's the root of a lot of these problems."
Also, the recommendations often focused on outcomes - such as passwords should be stored securely - rather than how to secure passwords, which is actionable.
"If we can be consistent on a strong implementation of some security feature, then we know that across the board, the things that we are recommending are stronger," Bellman says.
There's a reason that guidelines may be written in vague ways: Technology changes, and views over how to securely do some action evolve as threats change. But Bellman argues there is a danger in creating guidelines that are too open for interpretation.
"The problem that I personally see with that is yes, we can leave it open, but if everyone is doing it differently, some people may not be doing it very well; some people might be doing it better," Bellman says. "If we can standardize how we are doing our security across a large group and come to consensus in that group, chances are we are going to have better outcomes in general."
As part of their study, Bellman and van Oorschot looked at the U.K.'s Code of Practice for Consumer IoT Security, which was released by the Department for Digital, Culture, Media and Sport in October 2018. The code of practice has 13 main guidelines that are outcome-focused and intended for manufacturers, retailers and developers.
"The wording we use - it is important. These things have different meanings, and we're using them interchangeably. So there's a lot of confusion and ambiguity in exactly what we mean with regard to what we want done with security. That's the root of a lot of these problems."
—Christopher Bellman, Carleton University
"While some of the 13 are more intuitive about what to implement, a number of them are rather vague, requiring searching for more depth, or unclear about how the problems are solved from a research perspective," according to their research paper.
Bellman and van Oorschot rewrote the guidelines to make them more specific. So rather than "no default passwords," they suggest: "If passwords are used, preconfigure with a per-device unique password rather than a default or no password."
In another example, rather than "keep software updated," the researchers suggest this wording: "Automate and secure the supply and installation of security updates for software/firmware."
Essentially, a best practice needs to be actionable, Bellman and van Oorschot argue. In their study of the guidelines, 91 percent did not have explicit practices to be followed but rather desired outcomes.
"We believe that it is crucially important that the organizations proposing and endorsing these lists have a clear idea of whether they are recommending practices, or specifying what might be called baseline security requirements, or simply offering advice about good principles to think about in the shower," according to the paper.
With the exception of the U.S. states of Oregon and California, there are virtually no laws that mandate that IoT devices meet some security requirement.
Some 70 percent of the guidelines and recommendations analyzed by Bellman and van Oorschot can only be implemented by manufacturers, putting the onus on those developers to get it right from the start. But if security experts don't find IoT security guidelines actionable, "then it is unrealistic to expect that manufacturers will magically find a way to adopt and implement the practices," they write.
There are also cost pressures. Better security usually means higher development costs. The Atlantic Council has recommended security regulations be applied to U.S. retailers that sell secure connected devices, which, in turn, will cause retailers to pressure their own suppliers (see How Amazon and Walmart Could Fix IoT Security).
Bellman says he fears government regulation may be a heavy-handed approach to pushing better security among manufacturers.
"Obviously, it'd be great to get all manufacturers to jump on board," he says. "IoT is one of those things that we'd hoped would self-regulate."