The Anti-Malware Testing Standards Organization (AMTSO) has presented a list of proposed publication standards to test the effectiveness of IoT security solutions.
AMTSO’s guidelines are intended to help organizations assess which tools are most effective and best suited to their environment. The document outlines six key areas:
- General principles: All testing and benchmarks should focus on validating the end result and performance of the protection provided, rather than running the product on the backend.
- Sample selection: For a relevant test of IoT security solution benchmarking, testers need to select samples that are still active and actually target the operating systems that the smart devices are running on.
- Determination of “detection”: Due to the differences between IoT security and traditional cybersecurity solutions, the guidelines suggest using threats with admin consoles that can be controlled by the tester or using devices where the attack will be visible if it occurs. .
- Testing environment: If the tester decides not to use real devices in the test environment, they must validate their approach by running the desired scenario with the security feature of the security device disabled and verifying the execution and success of the attack.
- Specific security feature tests: The guidelines provide advice on the different phases of the attack, including recon, initial access, and execution, and suggest testing each phase individually rather than tackling the entire attack at once.
- Comparative performance analysis: The guidelines suggest differentiating between various use cases such as consumers and businesses or the criticality of latency or reduction in throughput per protocol, which depends on its purpose.
There is a lot of diversity in IoT devices, which makes it difficult to create a universal approach to security, says Tony Goulding, cybersecurity evangelist at Delinea. Some devices lack compute capacity, and not being able to deploy security agents or clients to devices makes it difficult to enforce a centralized and consistent set of security policies.
“Threat actors recognize this and take advantage of the fact that these devices are particularly vulnerable to malware,” he says. “As a security community, we strive to eliminate or suffocate attack vectors that can provide adversaries with illicit access to our infrastructure, causing a data breach, ransomware attack, or taking critical OT infrastructure offline.”
Industry regulations such as PCI, HIPAA, and SOX focus on security and privacy guidelines in order to protect access to sensitive data and systems in traditional IT environments, says Goulding. Organizations should prioritize IoT products from vendors that have undergone such testing to ensure those risks are mitigated in their product.
“Likewise, it’s important to secure access to IoT devices used in sensitive environments,” he says. “Without a set of equivalent regulations, the AMTSO guidelines are a step in the right direction to help IoT vendors test their products’ ability to detect and prevent attacks.”
Secure IoT critical for organizations
Many cybercriminals target IoT devices as an entry point because they allow lateral movement within corporate networks, says Bud Broomhead, CEO of Viakoo. While security for vulnerable IoT devices is of paramount importance to businesses, the fact remains that IoT devices often lack automated methods to fix vulnerabilities, update firmware and digital certificates, or change built-in passwords.
“Hacked IoT devices are having devastating impacts, such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfake, or disrupting transportation systems,” he claims.
Because devices are so distributed and often of different makes and models, manually managing device security in multiple locations for cameras, kiosks, intercoms and other equipment can be very difficult to accomplish on a large scale.
Goulding says that while the proposed guidelines are a step in the right direction, increasingly strong, widely applied standards are needed. There is some progress, with Europe’s ETSI EN 303 645 and California’s “Security of Connected Devices” law. NIST in the United States has pilot programs for cybersecurity labeling of consumer IoT devices.
“Until then, suppliers and industry sectors will have different priorities,” says Goulding.