IoT Security Tips from the Online Trust Alliance
Advice for those new to the world of the Internet of Things is not hard to find. But rare is the advice that comes with the credibility of The Enterprise IoT Security Checklist from the Online Trust Alliance (OTA). After all, the Reston, Va.-based nonprofit is part of the Internet Society, which is home to the Internet Engineering Task Force. Those groups defined the foundations of modern networking, and are now trying to make the IoT reliable and secure as well.
Jeff Wilbur, director of the OTA, helped develop a set of recently published principles for the IoT similar to the ones the OTA has for enterprise networking and websites. “This focuses on the consumer products that are used in businesses,” says Wilbur. “We find there’s lots of stuff thrown out into the market with no proper security practices.”
First, Wilbur points to The Enterprise IoT Security Checklist, a free PDF handout listing 10 essential best practices, like updating passwords, treating your IoT network like a guest Wi-Fi network with no access to your productions systems, and enabling encryption whenever possible.
“We hope integrators will use this with customers,” Wilbur says. “Awareness of these checkpoints will help guide product selection and integration efforts.”
The checklist includes items every integrator already tells clients, but attaching the OTA logo to them may help the customers take these details more seriously. Number 9 has a statement we don’t see often enough: Do not use products that cannot be updated.
Other items are common sense tips that often get overlooked, says Wilbur, like not connecting the smart TV in your conference room to the internet unless you need to.
“Many devices meant for consumers tend to phone home a lot,” he notes. “That’s because the vendors assume the highest level of convenience possible for the end user. As a result, they wind up collecting a lot of data you don’t really want collected.”
OTA’s checklist is a boiled- down version of its longer “IoT Security & Privacy Trust Framework v2.5”, which includes 40 strategic principals principles on topics ranging from user access and credentials to data privacy, notifications, and more.
“The framework was created by a core group of 100 stakeholders,” says Wilbur. “All those suggestions, created during face-to-face workshops, were whittled down to 40.” Public comment was invited as well.
IoT security concerns are going global, according to Wilbur. “The UK has 13 principles for manufacturers, covering the same areas as our 40,” he says. “These are all voluntary right now, but we’re starting to see recommendations like these around the world.” UL has efforts underway, Consumer Reports launched a venture last year called The Digital Standard, and there are nearly a dozen more.
OTA views its recommendations as an alternative to potentially onerous legislative fixes for IoT security challenges. “We’re not looking for regulations that strangle the market,” says Wilbur. For example, one bill (Internet of Things Cybersecurity Improvements Act of 2017, sponsored by Sen. Mark Warner of Virginia) would force manufacturers selling products in the U.S. to omit default passwords and make their software upgradable. OTA prefers approaches that turn safe computing into a selling point rather than legal obligation.
“Over time, we want to see more manufacturers make noise about the security and privacy features of their solutions,” Wilbur says. “We’re talking to some about publicly committing to this framework.”
In the meantime, and until the manufacturers make all products safe, reliable, and privacy aware—anyone holding their breath for that day? —integrators can lean on OTA’s checklist and framework as a starting point for secure IoT computing.
James Gaskin is a former reseller and network consultant, and ChannelPro-SMB Magazine contributing editor. He lives in the Dallas area.