Kathleen Moriarty

Embedded IoT Security: Helping Vendors in the Design Process

Kathleen Moriarty

5 min read

18 You have liked this article 0 times.
0

With the number of IoT devices on track to exceed 30 billion within the next couple of years, CIS has created a resource that will help IoT vendors ease the process of building in security by design and by default.


The number of Internet of Things (IoT) devices is increasing at a pace where owners can't keep up with device updates and secure configurations. Statista reports that the total number of IoT devices is expected to reach 30.9 billion units in 2025. That's more than double the 13.8 billion devices that were connected in 2021.

Simultaneously, there is a lack of skilled expertise when it comes to securing IoT. This is changing…but slowly and partially. Documentation resources for IoT security, such as moving toward labels and other guidance for the enterprise, are increasing. However, when the Center for Internet Security (CIS) surveyed the market resources available, there was no guide aimed at vendors for embedding IoT security.

Given this discrepancy, we decided we wanted to assist vendors with decisions on which protocol stack makes the most sense for their product and what their security options are within that protocol stack. As a result, we created the whitepaper, Internet of Things: Embedded Security Guidance.

In this blog post, I’ll describe the purpose of the whitepaper, go over what it contains, and discuss how you can use it.

IoT Security Built-in and By Default

Embedded IoT security is increasingly important. Attackers target IoT because it's a possible entry point into corporate (and home) networks. While a gateway can help to protect devices, attackers can bypass the gateway in many instances. Additionally, embedding security reduces the need for add-on or bolt-on security products and approaches. In the very least, this makes it more difficult for cyber threat actors (CTAs) to conduct an attack. It's no surprise that the White House's Executive Order 14028, "Executive Order on Improving the Nation’s Cybersecurity," and its follow-on documentation identified security that's built-in by design and by default as an important theme for IoT devices.

To achieve embedded IoT security, vendors need resources that help them understand the necessary security requirements and how they can meet them. Take the design phase of an IoT product, for instance. The team has certain constraints that require consideration and that drive a decision to one of many protocol stacks to support those constraints. Since there are upwards of 10 protocol stacks, vendors would need to perform significant research to find what's most applicable. They would also need to spend time researching the security capabilities that are either intrinsic to the protocol or available as optional extensions.

This is unrealistic. There has to be a better way.

Two Defining Characteristics of Our Whitepaper

Developed and vetted by industry experts, Internet of Things: Embedded Security Guidance aims to provide a resource to IoT vendors to ease the process of building in security by design and by default. It does this with the four different IoT communication and data-sharing patterns in mind.

From Internet of Things: Embedded Security Guidance, page 4

Our whitepaper stands out in two ways:

  • Prescriptive recommendations. It includes recommendations for security options to better scale management and shift it left to the vendor when possible. (CIS members along with small- and medium-sized businesses are particularly interested in scale to reduce resource requirements.) We conducted significant research to develop these recommendations and lessen the burden on individual developers from having to perform it themselves.
  • Vetted research. It pulls from IoT industry experts engaged with vendors, standards work, and government to better understand the potential set of protocols that can be used. Additionally, it details the security options available within each of those protocol stacks. The research and verification takes an effort that many development teams do not have the time for when building a product and meeting timelines. This also brings forward all of the security options to ease that process for vendors. They might select a different protocol stack with different security options by having the ability to easily compare these options.

Get the Conversation Going

Our aim is to maintain this as a resource if it is found to be beneficial. As a reader, you can learn about options to enable security management at scale, such as the Manufacturer Usage Description (MUD) documented in RFC 8520 as well as the resources available to implement MUD. You can also use it to advocate for greater levels of IoT security in your organisation and countless others.

A Bright Future for Embedded IoT Security

If security is built in, enabled by default, and managed at scale by the vendor, the overall security landscape will improve.

Kathleen Moriarty | Chief Technology Officer, CIS

If you’re an organisation, you can begin the conversation with your vendors on embedded IoT security requirements for your products. You can specifically use this document as an educational tool and potentially provide it as a guide for the vendor. Currently, the burden for IoT security fully rests with you, where it’s your responsibility to add on security to protect products and services using resources such as the CIS Controls v8 Internet of Things Companion Guide. By embedding security and changing the expectations for security to be built in, we may be able to reduce the overall costs for security as well as reduce the distributed management burden.

We want to hear from the community and understand if this whitepaper is helpful. We’re also interested to learn what supplemental resources might aid in improving security to provide meaningful resources that assist in the “shift-left” security movement.

If security is built in, enabled by default, and managed at scale by the vendor, the overall security landscape will improve. While there is always a way in for an attacker, measures to build in security increase the costs to the attacker and may help shift attackers away from the cyber under-resourced.


This article was originally published over on the CIS CTO blog.

18 You have liked this article 0 times.
0

You may also like

View more

About the author

Kathleen Moriarty, technology strategist and board advisor, helping companies lead through disruption. Adjunct Professor at Georgetown SCS, also offering two corporate courses on Security Architecture and Architecture for the SMB Market. Formerly as the Chief Technology Officer, Center for Internet Security Kathleen defined and led the technology strategy, integrating emerging technologies. Prior to CIS, Kathleen held a range of positions over 13 years at Dell Technologies, including the Security Innovations Principal in Dell Technologies Office of the CTO and Global Lead Security Architect for EMC Office of the CTO working on ecosystems, standards, risk management and strategy. In her early days with RSA/EMC, she led consulting engagements interfacing with hundreds of organisations on security and risk management, gaining valuable insights, managing risk to business needs. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS. Keynote speaker, podcast guest, frequent blogger bridging a translation gap for technical content, conference committee member, and quoted on publications such as CNBC and Wired. Kathleen achieved over twenty five years of experience driving positive outcomes across Information Technology Leadership, short and long-term IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College. Published Work: - Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain, July 2020.

Comments 0