The nonprofit Center for Internet Security’s (CIS) benchmarks and best practices are staples among cybersecurity leaders looking for guidance around appropriate controls, system hardening, and building secure architecture.
CIS recently published its first Internet of things-focused guidance document which speaks directly to vendors, developers, and DevOps professionals building connected smart devices and systems about security of protocols available to them.
In this episode of the Nexus podcast, CIS Chief Technology Officer Kathleen Moriarty joins to discuss not only the paper, but the challenges hampering the development of secure IoT devices. Moriarty said the paper is a crucial tool for developers, and can shave off as much as a year’s worth of research into protocol security from the IoT development process.
“A pet peeve of mine continually over probably the last 20 years is when you look at everything that can be security and all of your options, it's always confusing. There's too much research to do across a single space,” she said. “It could take a year to figure out all of your options to be able to make well-informed decisions to the point where it's not practical. So in looking at IoT, it seems like a ripe opportunity to do that research and pull in experts, get their consensus views on it, and then publish that type of material to centralize this piece of work and allow people to have a better starting point for making design decisions.”
The 74-page guidance does a deep dive into the most common application and network layer protocols, as well as transport security protocols available. There’s also a set of recommendations for users around each of these areas, that includes secure development guidance, and insight into access controls, encryption key management, and general hardening practices.
One crucial section also digs into a foundational problem hampering the security of IoT: constrained vs. unconstrained devices, which encompasses a device’s ability to support basic security such as authentication and encryption technology.
“As you get more constraints, you have to be aware of the options that you have when you're choosing your stack. How can you provide encryption? And you might not be aware of things like the Ad Hoc Protocol out of the IETF that is meant for highly constrained devices, Moriarty explained. “You might only be familiar with TLS. The paper is meant to give you insight into these other options so that you're beginning from a starting point of having a full understanding before diving in and making a design decision where you can't backtrack. We felt it was important to have that approach of looking at security cross-sectioned across protocols.”
Adoption of security and understanding the safety of the protocols used in IoT device development are keys to locking down what has been a wobbly environment dating back to the Mirai botnet. IoT has been notoriously slow to move away from insecure practices such as default and/or weak, known passwords, for example. And as more smart devices find their way into homes and businesses, they siphon data for a multitude of reasons putting the onus on vendors and developers to adequately secure that data in transport. Vendors, meanwhile, can push back with arguments about increased costs to users, or the fear of regulation on the horizon.
“The push from the federal government and CISA in particular is essential. The requirements in RFPs going out are only going to help toward ensuring that vendors do begin to build in security,” Moriarty said. Thinking about the different market segments, the pressure really has to come from each of us when we consider what products we purchase has security built in and how many resources will I need to manage.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.