The Anti-Malware Testing Standards Organization (AMTSO) has revealed a list of proposed deployment standards for testing the effectiveness of IoT security solutions.
AMTSO Guidelines It aims to assist organizations in evaluating the most effective and most appropriate tools for their environment. The document identifies six main areas:
- General principles: All tests and benchmarks should focus on validating the bottom line and the performance of the protections offered, rather than how the product works on the backend.
- sample selection: To conduct a relevant test to measure the performance of IoT security solutions, testers need to select samples that are still active, and that are actually targeting the operating systems that the smart devices are running on.
- Select “Detect”: Due to the differences between IoT security and traditional cybersecurity solutions, the guidelines suggest using threats with administrator consoles that the tester can control or using devices where the attack is visible if it occurs.
- Test environment: If the tester decides not to use real hardware in the test environment, they must validate their approach by running the required scenario with the security functionality disabled and verifying that the attack was executed and succeeded.
- Test specific security functions: The instructions give advice on the different phases of the attack, including reconnaissance, initial access, and execution, and suggest testing each phase individually rather than going through the entire attack at once.
- Performance Measurement: The guidelines suggest distinguishing between different use cases such as consumers versus businesses, or how important latency or low throughput is for each protocol, which depends on its purpose.
There is a lot of diversity in IoT devices, which makes it difficult to create a one-size-fits-all approach to security, says Tony Golding, Delinea’s cybersecurity evangelist. Some devices lack computational power, and the inability to deploy security agents or clients on devices makes it difficult to enforce a centralized and consistent set of security policies.
“Threats are aware of this and are taking advantage of the fact that these devices are particularly vulnerable to malware,” he says. “As the security community, we strive to eliminate or stifle attack vectors that can give adversaries illegitimate access to our infrastructure, leading to a data breach, ransomware attack, or shutdown of critical operational technology infrastructure.”
Industry regulations such as PCI, HIPAA, and SOX focus on security and privacy guidelines in order to protect access to sensitive data and systems in traditional IT environments, Goulding says. Organizations should prioritize IoT products from vendors that have undergone such testing to help ensure these risks are mitigated in their products.
“Likewise, it is important to protect access to IoT devices used in sensitive environments,” he says. “With no equivalent set of regulations in place, the AMTSO Guidelines represent a step in the right direction to help IoT vendors test their products’ ability to detect and prevent attacks.”
IoT security is important for organizations
Many cybercriminals target IoT devices as their entry point because they allow lateral movement within corporate networks, says Bud Broomhead, CEO of Viakoo. While the security of vulnerable IoT devices is critical to organizations, the fact remains that IoT devices often lack automated methods to patch vulnerabilities, update firmware and digital certificates, or change built-in passwords.
“Hacked IoT devices have devastating effects, such as ransomware, data loss, altering the chemical balance in municipal water supplies, substituting real camera footage with deep faking, or disrupting transportation systems,” he says.
Since devices are widely distributed and often of different makes and models, managing device security manually across multiple locations for cameras, kiosks, intercoms, and other equipment can be very difficult to achieve at scale.
Golding says that while the proposed guidelines are a step in the right direction, more and stronger standards are needed, which are widely enforced. There is some progress, with ETSI EN 303645 in Europe And the California Connected Equipment Security Act. NIST in the United States has pilot programs for cybersecurity labeling of consumer IoT devices.
“Until then, vendors and industry sectors will have different priorities,” Golding says.