White labeling, rebranding, and partnerships with OEMs are in IoT business very common just like in any other domain too. But there are also unique aspects of IoT security or in general cyber security which are not available in other domains but extremely important. The importance here is caused by incidents in the past, current legislation (e.g. GDPR) actions which will affect the future use and raise awareness of technical partners who implement security engineering process in their process landscape and decline every product if there is no proper iot security implementation in place.
While the first steps of the assessment of potential partners are often a pure sales or business developer-driven process, I’ve summarized 5 general question also a non-technical colleague can take with him to get a first feeling about the potential partner, in terms of cybersecurity.
Disclaimer: This is not an ultimate guide for the shortest assessment or shall show you how to complain best about iot security. It simply a collection of questions you should get answered as soon as possible to not to waste time on a product you or a company which will bring you and your company in big troubles.
Only Few Right Questions Can Avoid Serious Issues
Some weeks ago I was again at the embedded world in Nuremberg. The first what you can see there is that nearly every company have “security” somewhere on the brochures, posters or the booth design. I took the chance to chat with a very big number of exhibitors about different topics, one of the was definitely IoT Security.
I had very interesting conversations, especially with companies and organizations which are focused on cybersecurity like wolfSSL, Fraunhofer SIT or Itemis AG but also very strange one where the examples from my previous article - 3 Top IoT “security” Architectures and How to Fix Them will not be enough.
My strategy to separate the interesting from the bad ones? I ask questions which allow me to recognize whether my conversation partner simply just not technical but worth to talk to or he is using empty phrases which shall simulate knowledge. Below I summarized my favorite questions which allow you the first insight. I’ve also added some answer examples, how to rate them and possible further questions.
1. Do you Have a Security Concept in Place?
Always my first and in my opinion, the most important question is the one regarding a security concept. To be honest, if the answer to your conversation partner is “Yes sure! We can share it with you if you want” … you won in the lottery.
A security concept is comparable with the software architecture and comments in the source code. No one wants to do it, it feels useless, the process of writing it is boring, but it becomes extremely important if another, like an auditor, shall understand the structure, the decision, and remaining risks.
Photo by Philipp Mandler on Unsplash
Therefore, if you find a company which has a full-blown security concept, including security relevance assessment, risk analysis, security architecture and planned or passed pentest for every product, you can assume that they have at least one dedicated expert who is doing nothing else than dealing with product security which is a good starting point.
Please take care of the case if the answer is “Yes sure! We can do it for you!”. It sounds very similar but means “We do not have anything and implemented the security features only but gut feeling”. In the same way, it means “We do not have a clue what you mean!” because you simply not create a concept after a product is ready. This is like if an architect would create the drawings for your home after the home is built. And during the construction, the workers had all freedom to do what they wanted.
2. What main assets do you focus on in your iot security strategy?
An IoT security concept is like any other, you shall know what you want to protect before developing any strategies or implementing any security measures.
Photo by Alexandre Debiève on Unsplash
Some things are obvious like - “All data send to the backend shall be encrypted”. Others are hidden - e.g. Are the features implemented within the firmware worth it to be protected? Do we have a USP?. Spending 1 000 000 € on firmware doesn't automatically mean you have an intellectual property which is worth to be protected. On the other side, a small feature implemented by an intern student in 2 months, which is equivalent to 5 000 €, can have a big value and be worth even to redesign the hardware to include a security module. The third can damage your business case and turn a great chance to a disaster – e.g. force a user to execute security steps which are not worth to be done because the data is openly available.
Long story short, a company which takes the iot security topic seriously shall exactly know what the assets are and how they want to protect it. Even if the salesman cannot answer such a question a security responsible engineer shall do it easily because it is the very first question he has to ask himself and the team before starting developing a security concept for his product.
3. How do you detect iot security incidents on your products?
“I have a pretty good anti-virus software because it never reports a security incident” an old IT joke which fits perfectly to this question.
Photo by Piotr Chrobot on Unsplash
Teams which are actively participating in specialized communities, discover the new one, participate in hacking conferences and maintain contact with similar teams from other companies are very expensive. But such a role is extremely important because you can not react to a security incident if you do not know that you have one. If you have only a small number of security-relevant products you can also outsource this task.
You partner shall at least have an idea what he will do if an incident will happen, means he shall have a process how to deal with the issue. By the way … just run around and blame all developers is not a good answer here. Exactly that bad but meant seriously is the answer “We are using cloud
4. What parts are we responsible for in your IoT security architecture?
Sounds weird at the first point, isn’t it? But the idea behind this question is quite simple. Every product requires action from all his users. No way that you don’t need to do anything, especially in accordance with the IoT security.
The ENISA Report states it as follows: “Cybersecurity is a shared responsibility among all involved stakeholders. It is thus essential for these stakeholders to have a thorough understanding of related risks and threats, as well as ways to secure and protect against them.”
Photo by Autumn Mott on Unsplash
Partner: “But there is really nothing, you have to consider. The devices authenticate them self automatically at the backend. And send their data.”
Me: “What is about the firmware updates?”
Partner: “Even there … nothing. The firmware is signed by us. You only have to select the device you want being updated and provide the firmware. In case something goes wrong during the update, the device will roll back the update you just have to restore your setting. ”
Me: “Sounds good. What is about the settings, therefore I have to use the maintenance access right? ”
Partner: “Exactly. Also here the device is pretty good secured. Every device has his unique device credentials you should change at the initial setup because they are printed on the housing ”
Me: “Uhhm, we are talking about 200 k device per year I have to change the credentials and also save the new one securely somewhere ? Sounds like a requirement for an additional infrastructure and additional personnel ”
Partner: “ … you are right … “
Just a constructed scenario but very common one. The reasons are not that your business partner wants to annoy you. It is much much simpler … they do not have the user contact and are very deep in the manufacturer thinking structures.
As you can see the question brought you also a very big amount of useful information. And to be honest, even if your partner cannot implement a better solution for the discovered issue … you know exactly what you have to deal with and what are the risks. On this base, you can make a much more sustainable decision.
5. How do you ensure that the security measures are properly implemented?
There is always a big gap between the concept and realization. On the way there are many issues which make the team shift priorities, change functionality, challenge decisions, drop requirements and a lot more. Does it sound familiar to you?
Security requirements are very popular for such actions due to the fact that they are not present to the end user. The end user to do not really feel the benefit of iot security, in the worst case he feels the benefit of missing security like better usability, faster reaction, the fact the data on the communication is readable etc.
Therefore the main task of a security manager responsible for realization in the project starts after he initially finalized his concept. He has to check whether iot security functions are really implemented as planned. There are multiple possibilities for that. Code reviews, architectural calls, hardware reviews etc. at the end of the project a penetration test is recommended for nearly all of the project in the IoT domain.
Photo by Nicolas Thomas on Unsplash
In a conversation with a potential partner, the chance is not really high that you will get a detailed answer about internal processes but your partner shall be familiar with the term a pen-test or penetration test. Obligatory pen-tests for all product with RF interface or internet connected devices is what you want to hear. Recurring pen-test for web interfaces and all web products shall be standard. Do not accept a statement like “Sure we are testing all our products!”, ask explicitly for a pen-test.
Typically such tests are executed by an external company which employs good hackers, also named white hat hacker. The goal of such a test is to get as much information as possible from the test object especially such information which was rated as “to stay confidential” during the security analysis, simply to hack the device/ solution / product. The pen-test was not done? Insist on going for that and participate in the presentation of the results, especially if you plan to buy a big amount of the product. The costs are much lower than for a CE certification.
As for many other disciplines also in the area of IoT security, the right questions can give you already a very good basis for a decision whether to partner a company or not. The security topic is in this cases comparable with CE, FCC, EMI, IP and all other certifications. If a product is not designed with security in mind, also called security by design, it is extremely difficult or often impossible to add security functions without changing too much or reimplement main parts of the solution. Don’t ignore uncertain communication, vague statements, missing documents and tests in the most cases it is the one who placed the product on the market who have to bear the responsibility in front of a court. And even if you were able to pass-through the responsibility you will lose the trust of your customer and damage your brand and companies image.
Relevant Articles about IoT Security
IoT Security is a recurring topic in my blog, if you found the way to this article I will try ease the way to the previouse for you.
- Industry Best Practice for IoT Security (PDF) – Learn from industry experts what the key of a good IoT security is
- Hacking, top 5 free cyber security training sources – a collection of sources where you can learn cyber security basics or gain your knowledge
- Find potential security holes efficiently - Simple tips for a security analysis! – not sure how to perform a solid security analysis for your product? Check this article for tips.
- 5 Easy Ways To Better IoT Security