Cloud Security Alliance Provides Enhanced IoT Security Guidance

As enterprises, and their home workers, deploy IoT devices, the risks these devices pose to enterprise data and systems increases. First released in 2019, the IoT Security Controls Framework established 155 essential security controls that the CSA believed would mitigate many of IoT’s risk. The new version of the CSA IoT Security Controls Framework provides clarity on guidance and security enhancements

A warning went out during the last week of January, highlighting newfound vulnerabilities in US-based home security company’s ADT Blue. The underlying vulnerabilities found within home security gear (CVE-2020-8101) were initially identified in the video doorbell camera by Bitdefender researchers. The vulnerabilities within the cameras enabled attackers to gain the administrator password by knowing the device’s MAC address. From there, attackers could gain root access.

That’s just one recent example of the danger of IoT devices. And consumers are increasingly attaching these devices to their home networks — networks that are also increasingly used by staff to access enterprise applications, data, and other resources remotely. That makes IoT security essential to enterprise security.

With IoT devices’ security in mind, the Cloud Security Alliance recently released an updated version of its IoT Security Controls Framework, along with their announced Internet of Things Security Controls Framework Version 2 and their accompanying Guide to the Internet of Things Security Controls Framework.

There are several important updates to the framework, including a new domain structure and the inclusion of IoT infrastructure. When used in conjunction with the Guide to the Internet of Things Security Controls Framework, the CSA hopes it will be easier for organizations to evaluate and implement IoT security controls.

First released in 2019, the IoT Security Controls Framework established 155 essential security controls that the CSA believed would mitigate many of IoT’s risks. Of course, in addition to the consumer devices, we are all familiar with — home thermostats, speakers, doorbells, security systems, lighting, and more IoT. These include all of the industrial connected systems used in supply chain management, manufacturing, building control, and more. “Today, it [the need for security controls] continues to be used by system architects, developers, and security engineers in evaluating their implementations’ security as they progress through the development lifecycle to ensure they meet industry-specified best practices,” the CSA said in a statement.

According to the CSA, the framework can be applied to those devices and systems that process data deemed not very valuable or strategic to IoT systems with higher classifications and criticality. Like other frameworks, the CSA IoT framework helps enterprises to classify their IoT systems better and evaluate the potential impact these systems could have. Once identified and quantified, security teams can then put the appropriate security controls in place.

According to the CSA, the most significant updates include:

  • Updated security controls: All controls have been reviewed and updated for technical clarity.
  • New domain structure: Control domains have been reviewed and updated to better
  • categorize each control.
  • New legal domain: Introduces relevant legal controls.
  • New security testing domain: Introduces security testing of architectural allocations.
  • Simplified infrastructure allocations: Device types have been consolidated to a single category to simplify the distribution of controls to architectural components.

Aaron Guzman, product security lead, Cisco Meraki, and IoT Working Group co-chair and lead author, said enterprises deploying IoT in more significant numbers and need to take the appropriate security measures. “Enterprises are finding themselves in a position where they must not only adopt new IoT technologies but plan for accessible, secure, and resilient deployments. Not an easy task given how quickly these technologies and new threats are evolving. The Framework provides a starting point for organizations looking to better understand and implement security controls within their IoT architecture,” Guzman said.

“As the IoT market continues to grow, so, too, is an overall reliance on IoT-generated features and data,” added Brian Russell, IoT Working Group co-chair. “With this framework and guide, it was our intention to provide enterprises with direction on how to create a safe IoT environment with security that both addresses the unique risks involved with IoT and employs appropriate implementation mitigation measures,” Russell said.

The CSA IoT Working Group is charged with developing frameworks, processes, and known methods to secure IoT connected systems, and the working group analyzes IoT related data privacy, fog computing, and smart cities.

According to the CSA, the next version will include an IoT Framework Shared Responsibility Matrix, safety specific controls, IoT indicators of compromise, an IoT Framework to European Union Agency for Network and Information Security (ENISA), and more.