What an IoT assurance scheme could look like

We’ve seen our fair share of vulnerable smart devices over recent years, our blog is littered with examples. We have already commented on the DCMS Secure by Design initiative, it’s a great initiative as is, however, we do want to see it evolve and become more rigorous over time. This should not be a one-time regulation.

What is important at this stage is that we get something that both offers a workable accreditation scheme and puts some trust back in IoT. However, we worry that an existing IoT assurance scheme will be used.

We have worked with many clients and helped them follow existing security frameworks. Some frameworks are so weak that they offer no real value for well-established manufacturers. Others are far too complex, so the bar of entry is simply too high for start-ups.

This got us thinking: if we could build an assurance scheme from the ground up, what would our ideal scheme look like? It would need to cover the Secure by Design initiative, but also allows more established manufacturers to differentiate themselves from their competition and really show how seriously they take security. Allowing them to give reassurance to retailers they are making sound purchasing decisions and provide confidence to end users that the device they purchase offers strong security.

What we think is needed is a multi-level assurance scheme mapped to the ETSI standard TS 103 645 (soon to be a European standard EN 303 645), with a low entry point, but that the very lowest level incorporates Cyber Essentials. Cyber Essentials is a simple and effective cyber assurance scheme that provides a basic level of accreditation of the organisation and their cyber practices. This is a really important step. There is no point having a robust accredited device if the company has ancient server infrastructure, no anti-virus or have terrible admin passwords. All that personal and private data could be exposed through a weakness not even covered by the Code of Practice.

Tiered accreditation

So with Cyber Essentials at the heart we think four levels are needed:

Level 1

This is the base entry level, it needs to be cheap and simple to attain in a self-certification way with no complex questioning. The DCMS is planning to legislate around three core items in the ETSI standard:

• No universal default passwords
• Implement a means to manage reports of vulnerabilities
• Keep software updated

Therefore level 1 really needs to evaluate against those 3 requirements in a simple way. This entry level of assurance would allow manufacturers who just want to start their secure journey an simple way to accredit against the 3 requirements.

We see this as very much the start of the journey to better accreditation, the bottom rung of the ladder if you like. Its basic and attainable, but gets manufacturers thinking about security. Even today, many do not consider security at the forefront of their mind when designing products. However, many want to do the right thing, but perhaps don’t have the funds for a full scale assessment.

Level 2

Of course level 1 is fairly simple, but it needs to be to start IoT manufacturers thinking about security. The next level up needs to be a bit more rigorous. This time accrediting against all 13 requirements of the ETSI standard. We think this needs to have some form of validation of their responses with the manufacturer. For example, one requirement is to “communicate securely”, there are many ways to do that, we think a simple conversation can establish if the manufacturer is actually doing that.

We anticipate that at some point DCMS will look to legislate around all 13 requirements, so this level of accreditation stands many manufacturers in a strong place for when that happens.

Level 3

With levels 1 and 2 the device itself wouldn’t actually get manually reviewed. We think it’s important that manufacturers can get a low level accreditation without the cost of a manual review. However, level 3 is where the real value to retailer purchasers and manufacturers really comes in. At this level we think a manual review of the responses to questions around the 13 requirements is needed. For example, checking that the default password is not universal across multiple devices.

Furthermore, many accreditation schemes don’t consider any form of threat modelling. With IoT threat modelling is critical to establishing the risk the device presents while being used. For example, “Ensure software integrity” is less of a threat to a device that sits inside a house and uses Bluetooth Low Energy to communicate than a CCTV camera installed outside of a house that uses wireless.

Usually the most devastating flaws an IoT device can have is within its API, those types of flaws usually lead to multiple device compromise and the loss of personal and private data. We think a simple API review is needed looking for ‘low hanging fruit’ such as Insecure Direct Object References. The mobile app should be reviewed as well to look for thinks like API keys exposed.

We think that all good retailers should be demanding this kind of accreditation level and above in order to stock devices.

Level 4

It’s clear that once you reach level 3 the device has had some review, but how can manufacturers make their product stand out in a crowded market place. This is where there needs to be a top tier of accreditation with more robust controls applied.

Things like a more detailed review of the API & mobile app, of the authentication methods, of the hardware choices, firmware reverse engineering/code review, review of the development lifecycle and build processes. A comprehensive threat modelling taking in to account things like supply chain attacks.

We think manufacturers at this level should be accredited to at least Cyber Essentials Plus, this enhanced checking will ensure real effective validation of the organisation as well as the device.

Risk should be at the centre of this. Risk assessments will allow for differences to be shown. This will allow manufacturers to show “our device is more secure than our direct competition”. We think a simple scoring system can work here derived from the risk assessment.

A matter of public record

These levels will help provide strong assurance of devices, however, most current IoT assessments do not publicly list the results of the assessment. We think this needs to change, at least in summary. The public and retailers should be able to easily search a website to find the test results for the device they want to purchase. The public report should be really simple to understand. It should be unique the particular device and clearly show who did the assurance and when.

Firmware on devices change constantly and each update could introduce new vulnerabilities, we think it is only right that the certification is performed at least annually, with the certification expiring if not renewed. Each certification should be unique and any certification branding should include the unique reference for the certification.

Conclusion

What we have described above we think describes a ‘best of both worlds’ catering for many different types of manufacturer in a clear and transparent way.

We anticipate there be a requirement for constant review of the assurance scheme to better meet legislation and market demand. For example, when all 13 requirements are legislated then the level 1 we have described above won’t be needed.

We don’t know what the initiative holds, but we do hope that whatever is chosen allows for tiered levels of assurance with strong accreditation at the highest levels, but still making manufacturers think about security at the lowest levels with existing government certifications at its core.