Home > Articles > IoT and Security Standards and Best Practices

IoT and Security Standards and Best Practices

Chapter Description

In this sample chapter from Orchestrating and Automating Security for the Internet of Things: Delivering Advanced Security Capabilities from Edge to Cloud for IoT, the author team raises awareness of what should be considered when planning to secure an IoT system and highlights some of the more robust standards and best practices used today that can help.

The Challenge with Standardization

So what does this mean in terms of choosing the right IoT standards to focus on? First, we need to understand who is involved in standardization or guidance efforts:

  • Alliances: An alliance is an agreement between two or more parties to pool re-sources to make a more powerful impact. It usually is not a legal partnership entity, agency, or corporate affiliation.

  • Consortia: A consortium agreement is a private agreement between two or more parties that outlines rights and obligations among themselves. The objective is to pool resources to achieve a common goal. However, the members are responsible only to the group in regard to the obligations in the consortium contract. Each member remains independent in normal business operations, with no say over other members’ work that is not related to the consortium.

  • Standards bodies: Known as standards organizations, standards bodies, standards-developing organizations (SDO), or standards-setting organizations (SSO), their primary activities are developing, coordinating, revising, and producing technical standards to address the needs of a group. Standards bodies can be international, regional, or national.

  • Regulatory bodies: These bodies set mandatory or legal requirements, often drawing from standards to leverage existing best practices developed by expert committees using a consensus-based and transparent process.

If we attempted to research and outline every standard and set of guidelines that applies to IoT, we would need to write volumes, as you will see from the compiled list of 109 different bodies later in this chapter (see Figure 4-2)—and this is not an exhaustive list. Furthermore, some of the groups have multiple standards or guidelines that apply to IoT. One example is the IEEE, which outlines 80 of its own IEEE standards as applicable to IoT (see http://standards.ieee.org/innovate/iot/stds.html) and has an additional 45 standards in development for this space. Working through this minefield, we also need to understand that standards are often driven by consortia and alliances, which naturally push for their own interests. Beyond that, standards are usually merely a best fit, not the best technical solution. So why do we bother?

The answer is simple: Without standards, we will not see the potential returns and benefits promised by IoT. At a bare minimum, we need communication standards for interoperability. Without interoperability, different devices and systems from different vendors will not work with one another, and this will return us to the silos of yesterday. Yet we must go beyond just connectivity to realize the benefits.

As the industry evolves, we have an increasing need for a standard model and process, not just to allow devices to communicate, but also to perform common IoT back-end tasks such as security, automation, analytics, and business insight. As end users continue to drive this need, we will see different IoT solutions interoperating with common back-end services, guaranteeing levels of interoperability, portability, serviceability, and manageability that are impossible to achieve with current IoT solutions. A 2015 Gartner study argues that this next-generation IoT system will be delivered as a service (aaS), aligning with our approach for the SDN- and NFV-focused platform we discuss in detail in Chapter 8, “The Advanced IoT Platform and MANO.” This means that the scope of standards we need to address is not limited to the traditional IoT ones, but should be expanded to include SDN and NFV. We also need standardized ways to deliver the necessary IoT capabilities as a service and we need security-specific standards that might not have been developed with IoT in mind.

As we look to architect, design, and build our IoT systems, we need to carefully consider what standards are out there today and which standards are developing. We need to choose wisely. We currently have a broad collection of standards, alliances, consortia, and also regulatory bodies to help, and we outline these in the next section. From a security perspective, standards will help our cause. We need standards to minimize the attack surface, gain better visibility of security incidents, and provide consistent and usable tools to defend, detect, remediate, and report security incidents.

The following are some practical considerations:

  • Do not create something that already exists. The U.S. Department of Homeland Security recommends building on recognized architectural and security practices as part of a strategy to secure IoT. Many tested practices used in traditional IT and network security can be applied to IoT. These approaches can help identify vulnerabilities, detect irregularities, respond to potential incidents, and recover from damage or disruption to IoT devices and systems.

  • Start with basic, consistent architecture and cybersecurity standards and best practices, and apply them to not only the IoT system, but also the entire IoT ecosystem that might form part of a solution.

  • Leverage sector- or market-specific best practices and guidelines, where available, to address unique architectural and security approaches or regulation.

  • Try to assess industry indicators for which standard will win out in the long term. Backing the wrong standard could result in a system that eventually becomes noninteroperable or obsolete, and this has time and money implications. Look at the standards bodies that the large vendors and industry players are backing. Of course, this could be a challenge if multiple industry-leading IoT companies, such as Cisco, Intel, IBM, GE, and Microsoft, appear to be hedging their bets and working across multiple consortia.

4. IoT "Standards" and "Guidance" Landscape | Next Section Previous Section

There are currently no related articles. Please check back later.