Compliance Does Not Equal Security

February 27, 2018  |  By Chris M. Roberts

A new interagency report released by the U.S. government seeks to develop cybersecurity standards for Internet of Things (IoT) systems. Authors are requesting public comment through April 18, 2018. Ideally, the IoT standards borne from this report ("NIST Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things") will ensure that IoT systems and devices are developed with cybersecurity at the forefront. The report clusters IoT devices into one of five major technology application areas: Vehicle, Consumer, Health, Infrastructure, and Manufacturing. Authors explore the potential reuse of standards and identify current gaps in standards.

IISP Analyst Chris M. Roberts: "The IoT rush to market is one of the primary reasons there is giant hole in security. The International Data Corporation estimates worldwide spending on IoT will reach $772 billion dollars this year. Last time I checked, that’s a lot of money. When the market is that large, companies don’t think much about security because it does nothing but slow down their product release and cost them lost revenue.

This report is an attempt to encourage IoT developers to consider security in multiple ways such as encryption, incident response, hardware assurance, access management, and many other domains that need to be addressed. In all, I believe that the document provides solid guidance for the cybersecurity of IoT devices. However, until consumers demand it or until regulators enforce restrictions, companies will keep producing vulnerable devices.

Cybersecurity of embedded systems is not an simple topic. There are usually a multitude of attack vectors into a system that need to be addressed and many are often overlooked. This report details the areas that IoT developers should be concerned about, but without clear guidance on how to enable these cyber protections, I fear that many companies will just do their best to comply. Remember, compliance does not equal security. Cybersecurity of embedded systems is still in its infancy and many companies simply don’t understand the risk and aren’t equipped to develop or test secure solutions.  This leads to custom security that often looks secure on the outside, but is full of holes on the inside. Guidance needs to be provided on how to handle every input to the processor within the device, from the WiFi data, to the physical ports like USB, and even out to the sensors like accelerometers. Each input to a processor should be guarded and scrutinized at all times to ensure only valid and expected data is being passed."


For further reading
More by the author(s)