Procurement of secure IoT technology for companies

Caution should be exercised when procuring IoT devices - i.e. devices that are integrated into an IT network. In random samples, more than 50 percent of the devices tested showed glaring vulnerabilities that would allow a hacker attack on an entire IT infrastructure. "Companies are bringing an unpredictable black box into their own homes with printers, routers, security cameras or smart lighting solutions. Hackers know the vulnerabilities and can easily gain access to sensitive information. Therefore, when procuring these devices, it is important to ensure that there are security specifications and that these are also checked," says Florian Lukavsky, CEO and founder of IoT Inspector. 

These potential problems are often disguised in supplier products: On average, each device contains software components from more than ten different manufacturers, so-called OEM producers. The security experts at IoT Inspector provide a guideline in the form of a checklist.

Checklist for the secure procurement of IoT devices

To achieve adequate basic protection of the IoT infrastructure within the company, the following measures are recommended: 

• First, a protection needs assessment and threat analysis should take place to establish clear guidelines for IoT security. 
• Definition of concrete technical security requirements for procurement. These are recorded in a security specification and must be verifiably implemented by the manufacturer. Orientation for this is provided by international specifications, such as ISA/IEC 62443 or ETSI 303 645. Furthermore, there are security-focused procurement platforms, such as "IT - Buy safely", from which concrete procurement texts can be taken. 
• Verification of the manufacturer with regard to trustworthiness and diligence in the context of hardware and software development. Established maturity models such as OWASP SAMM or BSIMM serve as orientation. The manufacturer must prove that it implements the required maturity level - depending on the protection requirement of the device - for all development activities. 
• Carrying out automated security tests of the device firmware, both during acceptance and at fixed intervals, in order to detect any new vulnerabilities introduced by firmware updates.
• Whitebox audits based on the OWASP IoT Testing Guides are recommended. 
• Require written assurance from the manufacturer that all defined safety requirements have been met. 
• Review of security documentation created during software development (e.g., security architecture documentation, data flow analyses, results of vendor's internal security tests). 
• If an IoT device gains access to sensitive information or is deployed in particularly vulnerable areas, a full security source code review of the firmware should be conducted, as well as a physical security review of the IoT device itself, focusing on hidden backdoors in the software and hardware.

For interested parties, IoT Inspector offers a Whitepaper download.

Other topics:

Suissedigital expands its cyber security check