This week IASME launches another innovative scheme, this time to certify objects rather than businesses. The IoT Security Assured scheme looks at the security of consumer internet connected devices, many of which currently have very poor or no security measures in place. We spoke to the brains behind the scheme, Jamie Randall who told us about the very specific security challenges that the Internet of Things (IoT) presents, and how new laws expected in the UK soon, will change the security of everyday IoT objects for the better.
Can you tell us about the process that brought you to this point of launching a new scheme?
We spotted a gap in the market around internet connected devices and at the time the ETSI European Standard on Cyber Security for consumer IoT was still being developed. We wanted to take some of the things that we learned from the IASME Governance scheme and apply it to a new sector. IoT is a really interesting one, because in some ways IoT security is in the place that office security was 5-10 years ago. IoT devices have much less computing power, less RAM and storage and so on and this is actually a real problem for security, because with such limited capabilities, you can’t run antivirus programs and the encryption options are also fairly restricted. The principles of security are still the same, but they have to be seen through a slightly different lens, everything that runs on an IoT device has to be very optimized.
We thought this would be a good opportunity to apply some of the lessons we have learnt from IASME governance and Cyber Essentials in a new area, so we followed the development of ETSI and drafted a new certification that aligned with it. ETSI is an excellent piece of technical work that has been compiled by security experts over several years. We’ve ended up with an assessment that maps to the ETSI standard as well as the IoT Security Foundation Security Compliance Framework, but goes about asking the questions in a really simple and practical manner.
The IoT Security Assured scheme has launched this week, what is next for you?
This week we launch the verified self-assessment, it is a set of 50 or so simple questions that are answered by an applicant (the manufacturer of an IoT device), signed off by a board member, and then marked by an assessor. During the pilot of this scheme, we picked up that there is a need for a higher level of assurance, in addition to a verified self-assessment. We are developing an audited, hands on version of the certification. We are trying to do it along the same lines as IASME Governance Gold (the audited version of our security standard, IASME Governance) and using the same classic audit techniques: interview, documentation and observation. So in the audited version of the IoT Security Assured Scheme, the manufacturer would be interviewed on some of the relevant points, the documentation would be looked at, and the device would be assessed ‘hands on’ in the same way it would be used by the customer. The important thing is that it is not a technical penetration test, so the costs are significantly lower, but you do get significant assurance because you check all the key aspects.
What are the implications of an IoT device security breach?
A minor example of a security breach would be: a single device is compromised and impacts on someone’s privacy. A lot of people have things like connected security cameras in their home, so they might be monitoring their children’s rooms, or the safety of an elderly relative. Some of these devices have really poor security, and a lot use a peer-to-peer network which sends all the data unencrypted, this makes them very easy to hack. In practice, someone on the internet might come across your device and be able to watch what is happening in your room, there have been instances where people have taken over the microphones and said things to disturb residents.
A major example of an IoT security breach would be: a large numbers of devices of a certain category are compromised and used to launch large scale network attacks. A well-known example is the Mirai botnet, where hundreds of thousands of connected devices are compromised by malware. This enables the collective power of these devices to be harnessed by a single user in order to attack others and cause harm. The collection of (ro)bots or internet connected devices which have been taken control of remotely is known as a botnet. Botnets can be used to steal data, send spam or launch a Ransomware attack or a Distributed Denial of Service attack which can bring down web services and websites.
IoT devices are often the target for botnet attacks as they are easier to compromise than most PCs.
A disaster scale example of an IoT security breach would be: if devices within power grids and water supplies were compromised. There are a lot of experts addressing critical infrastructure security, so a breach is unlikely, but theoretically the impact would be massive.
How does the consumer know which products and services to look for? Who is creating secure products?
One of the things we are doing with the scheme is creating badges that can go onto a product. So once the product is certified, the little badge will show basic, silver or gold depending on the level a product is certified too. A consumer can look for the badge to see if the product has got a certification which means it is more likely to be secure.
A great deal of education is needed around IoT security, how to keep your home and work place safe, and what to look for when purchasing an IoT device. We are creating sections of our website that explain how to configure your IoT device securely. The most important message is to check to see if your product has a default password. It is vital that you change the password to something unique and secure. At this time before the proposed UK legislation has become law, it is especially important to check your IoT security. People don’t expect these products to be insecure and do not understand the potential threats that they bring. They might buy a device from a trusted online store and not realise that many of the products listed are very insecure, cheaply made devices that probably won’t meet basic security standards.
The UK legislation which has been delayed due to the pandemic, is expected to come into law in the next year or so. It is believed that the new laws addressing consumer IoT security will stipulate that consumer IoT products must not have default passwords, there must be a disclosure policy, and a defined support period. What’s not clear yet, is how manufacturer would prove to the government’s satisfaction that they meet those requirements.
What are the implications for organisations with connected devices throughout their supply chain?
There’s a lot of focus at the moment on consumer IoT devices but actually, there is a large proportion of IoT devices that are being deployed in businesses. People might be using their consumer camera at work, but more significantly, there are many connected devices that are being put into commercial buildings, things like connected power sockets and building sensors. I think there is a need for people at the top of those supply chains to check that the things they are using are of a good quality and secure. The IoT Security Assured scheme gives them a way to do this.
What are the implications of privacy infringement with connected devices?
It’s not always a malicious person trying to steal data, it’s also technology companies pushing the boundaries of what’s acceptable. Many internet services and also some of these devices are subsidised by the data they can collect on the user and sell to advertisers. Products with inbuilt microphones and cameras like connected televisions gather all sorts of interesting data. The cheaper devices sometimes don’t ask for consent, but the brand manufacturer ones generally do ask for consent, although it is often hidden away in the terms and conditions. If you have bought a device and want to get on with using it, if you don’t tick ‘I agree’ during the set up, the product won’t work. Do you really have a choice? It is not really informed consent. This is an area which will be significant as part of the ETSI standard and will be our silver level in the IoT Security Assured scheme. The requirement at this level mandates that the device can let you delete all of the data on it. These are the rights that you’d expect with the EU privacy and security laws stipulated in the General Data Protection Regulation (GDPR) legislation.
Can you tell us a bit about the journey that led you to working in IoT security?
As a kid, I was very much into technology, always fixing everything, and I still am. When I went to university, I wanted a change, so I studied politics and international relations which I really enjoyed, but gradually throughout my career, I’ve been pulled back towards technology. I used to work in the anti-piracy arena for the film industry, starting off with analysis and computer forensics and then looking at piracy groups online. When I was working at Sky, they were looking for someone to lead the cyber security section of the organisation, so I moved across to do that. Much of that work was around education and awareness and I created security campaigns aimed at the staff. After that, I moved back out to Worcestershire and started my own consulting company, ‘The Friendly Nerd’. While delivering some Cyber Essential training, I met Emma Philpott (IASME CEO).
When I initially joined IASME as CTO, it was a fairly small company, and I was able to look after all the technical areas which included getting all the systems in place and developing the schemes. In the last year, the company has grown so much and I’ve stepped back from the day to day operational side of things and now work on strategy and innovation. It has allowed me to develop new projects and ideas and see them through to realisation.
What is your message to the manufacturers of Consumer IoT devices?
Come and talk to us about getting certified because we have a large number of skilled assessors and certification bodies who can give advice and guidance about how to make a product more secure.
What is your message to the consumer?
Learn more about the products that you are buying, read the new legislation and see what requirements the Government is asking manufactures to comply with. Start to look out for our badge on products.
Ask the manufacturer that you are buying from these questions: does the product have a default password? How long will it be supported for? and how do they patch vulnerabilities? In the future, these security controls will be automatic, but at the moment, if the person you are buying from doesn’t know the answer to those questions, it’s probably a sign, that the product is not very secure.