Is there a common standard for evaluating the Security of an IoT device?

When people think of Internet of Things. Most think of various devices with a myriad build of different operating systems and functions.

However it's really not that complex if you look at it as a whole rather than from each individual pieces. Depending on your choice of operating systems. Most have their own security guide and the applications are in fact not much different to our servers and workstations.

Hardening and Security Implementation

You can consider referencing to the following guides but not limited to; for securing your devices.

OWASP IOT Project

IOT Security Foundation

CIS IOT Guide

Windows 10 IOT Guide

Evaluating IOT Security

As for testing I would say starting with this as a guide would help

Owasp IOT testing methodology

Evaluating Software Security

As for the security evaluation of the software, in your case computer-vision/machine-learning. You can additionally adopt evaluation of security on a coding level and configurations rather than on an iot device specifically.

Here's some reference with regards to software security

Owasp Secure Coding Practice

Microsoft Secure Coding Guidelines


IoT Security Frameworks

IoT Security Frameworks generally fall into 5 categories: wearable, home, city, environment, and Enterprise. Enterprise software is usually in the purview of OWASP, which has the OWASP IoT project. Enterprise software often transacts PII and payment-card information, which makes it fall under PCI DSS regulations. While not yet strictly regulated, the DHS -- https://www.dhs.gov/securingtheIoT -- the FTC -- https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things -- and ENISA -- https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures -- have also published guidance and supporting documents around IoT Security.

Home IoT devices and apps typically involve iOS (well, or tvOS), Android, or a similar operating system base. If you're an ISV developing apps for these platforms, check out OWASP again, at the Mobile Security Project and also the ASVS standard under the V17 Mobile Security Verification Requirements. If you actively make home IoT devices including a custom OS or stack, then you will also have to involve the regulatory requirements dictated by your location (your country and/or state where the devices will be developed, purchased, and used) as well as what types of transactions and people that will be using the devices. For example, baby monitors might fall under COPPA, heart monitors under HIPAA and HITECH, food and medicine under the FDA, etc.

For the US military, the DIACAP and DITSCAP standards including NIST RMF govern all computing devices, including IoT, especially wearables.

Environment and city-based IoT is much more akin to ICS/SCADA technologies. NIST has selected a program to include environment, city, and ICS to all be under the banner of Cyber-Physical Systems (CPS) and produces standards and frameworks here -- https://www.nist.gov/el/cyber-physical-systems For ICS/SCADA systems, the NIST SP 800-82 Guide to Industrial Control Systems, has been the long standard, but certainly coupled best with the NERC/FERC compliance standard on Critical Infrastructure Protection, especially the sections on System Security Management (CIP-007-5), as well as the ties to International Society of Automation and their all-encompassing ISA/IEC 62443 standard (formerly ISA-99). CIP-007-5 also adheres to other NIST standards on security event monitoring, including NIST SP 800-92 and SP 800-137, but the latest on Continuous Diagnostics and Monitoring comes from the DHS CDM framework. All of these are applicable for Industrial Internet-of Things (IIoT).


IoT Security Platforms

For a platform that can actively scan and produce reports based on IoT/IoE Security frameworks, check out the Pwn Pulse platform from Pwnie Express -- http://m.marketwired.com/press-release/pwnie_express_unveils_industrys_first_internet_of_everything_threat_detection_system-2010032.htm

For other companies working to produce standard interfaces for IoT devices that enable security and reduce cyber-risk, check out (in order of the most-prominent to least-prominent): Bastille, Securithings, Dojo Labs (acquired by Bullguard), and BitDefender (who makes the IoT and smart-things security enabler, BOX). WindRiver, a long-time leader in embedded-system security also released a paper detailing IoT Security -- [PDF] https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf [PDF]

Additionally, only a few companies are bridging the middleware layers between IoT devices and IoT service-layer apps. Certainly the big players are doing their part, but usually with proprietary interfaces such as Cisco Fog Computing (Microsoft Azure IoT Suite, IBM Watson IoT platform, and others have their own ways of doings things as well). The key players changing the game of IoT are working at the all-important instrumentation layer, as well as providing standards for middleware and apps, especially cloud apps. NCC Group published guidelines for these and other security testers here -- https://www.nccgroup.trust/uk/our-research/security-of-things-an-implementers-guide-to-cyber-security-for-internet-of-things-devices-and-beyond/

AWS has published guidance on IoT Security Best Practices -- https://aws.amazon.com/iot/ -- and also provides that middleware layer through their Thing Shadow project (supporting the MQTT IoT protocol standard) -- https://docs.aws.amazon.com/iot/latest/developerguide/thing-shadow-mqtt.html

Splunk has produced a product called the HTTP Event Collector (HEC) to receive cloud-based (Splunk Cloud, AWS, etc) machine data from IoT and future-IoE technologies -- [PDF] https://conf.splunk.com/files/2016/slides/wrangling-your-iot-data-into-splunk.pdf [PDF]. In particular, HEC supports token-authenticated events, as a nice-to-have IoT security feature.

Tags:

Iot