IoT Security Principles

The BSA—also known as the Software Alliance, formerly the Business Software Alliance (which explains the acronym)—is an industry lobbying group. They just published “Policy Principles for Building a Secure and Trustworthy Internet of Things.”

They call for:

Distinguishing between consumer and industrial IoT.
Offering incentives for integrating security.
Harmonizing national and international policies.
Establishing regularly updated baseline security requirements

As with pretty much everything else, you can assume that if an industry lobbying group is in favor of it, then it doesn’t go far enough.

And if you need more security and privacy principles for the IoT, here’s a list of over twenty.

Tags: cybersecurity, Internet of Things, security engineering

Posted on July 7, 2020 at 6:38 AM • 13 Comments

Comments

Winter • July 7, 2020 7:00 AM

“if an industry lobbying group is in favor of it, then it doesn’t go far enough.”

With the track record of the BSA, I would say that anything they favor is positively detrimental to users and consumers.

PS: The BSA is also a bully of small businesses:
https://www.networkworld.com/article/2251718/business-software-alliance-dirty-tricks-update.html

0805 • July 7, 2020 8:37 AM

Why should industry applications need a different level of security to consumers?

Mr. H • July 7, 2020 9:27 AM

I don’t know. Personally, I’ve almost always had terrible experiences with anything containing “BS” except of course, Bruce Schneier being an exception to the rule. In most cases anyway. We do love you Bruce – as our host and as an individual with high standards, be it integrity, ethical living, or simply having a good heart. Thank you Bruce for your contributions to the mankind.

Clive Robinson • July 7, 2020 9:47 AM

@ Bruce,

As with pretty much everything else, you can assume that if an industry lobbying group is in favor of it, then it doesn’t go far enough.

That “doesn’t go far enough” can be read in oh so many ways.

Like others my experience of the BSA leads me to think that what they promote maked BSA the most money.

In short they see IoT Security as a way for them to gain power / influance / money and littler or nothing else.

As the old advice has it,

If you chose to sup with the Devil, then take a very long spoon

With the BSA your spoon would be longer than a bus…

TimH • July 7, 2020 10:08 AM

I won’t buy a product that has either of these:
1. Insists on using external storage via internet
2. Won’t work if not continuously connected to the internet

The first one requires an account and ongoing service payment. The second is vulnerability to down-featuring on the fly, or simple bricking when the external service is cut.

MikeA • July 7, 2020 10:39 AM

@0805

The difference I have observed between Industrial and consumer devices (I worked almost exclusively with the former), is that consumers are fine with crap in a can, if it is attractively styled and “affordable” (at some point in the life-cycle), while industrial users buy “capital equipment”, and will not put up “you’re holding it wrong”, but expect fitness for purpose and a positive R.O.I. (and that gift card won’t cut it as a “price reduction”).

Consumers won’t pay for reliable and secure, at least partly because they have heard it before, and it has always been a lie.

Industrial users want to make sure stuff actually works, and don’t want to overpay, but do their homework.

Note this is my personal experience, and is in regard to embedded systems, where the “product” is a combination of hardware and software, and the buyer doesn’t care why you failed to deliver to spec, just that you will make it right.

purely software “Business Software” is (again, in my experience) just as dire as consumer software, but more expensive and subject to litigation at every turn.
(and being selected by managers to be foisted on employees and customers, it is not subject to the buyer caring if it works)

Phaete • July 7, 2020 10:49 AM

Just another regurgitation of known principles.
It looks like they wanted to have something to show to their members about where all that money is spent for.

We all know the principles of how to drive ultra safe and gas consumption efficient, but how many of us do that, how many percent of the time?
Just being tardy while waking up is already a valid excuse not to drive according to those principles. (i’m already late….)

Without any sticks (with or without carrots) you will just have a plethora of devices adhering to what the lead developer, marketing director or profit margin will dictate. This will be fluffed up to the max extend or above it.

And it seems that we make out choice with our wallet, we want cheap shit, preferably the one with the price just above the cheapest so we can still feel entitled. On company dime it is just the other way around, just below the most expensive guarantees us best value.

In short, we need sticks because since a few decades or so we can’t be trusted anymore to collectively vote for the best for us.

TimH • July 7, 2020 10:56 AM

Petnet feeder is a good example why not to buy a connected product.

https://arstechnica.com/information-technology/2020/07/petnet-charges-new-30-annual-fee-for-a-service-that-still-doesnt-work/

vas pup • July 7, 2020 3:39 PM

@Bruce:
“the Software Alliance, formerly the Business Software Alliance”

Does Hardware Alliance exist? Then it could be addressed hardware security principle of IoT device:

Providing user total transparency and control by hardware functions of IoT device functionality and preventing unauthorized by user access to IoT device features by provider, manufacturer, hacker, LEAs you name it.

I guess when you buy any electronic device for your own bleeping money, you should be in charge of it and be responsible of its usage within law, not be the subject of manipulation by anybody stated above.

David Alexander • July 8, 2020 3:40 AM

The independent Internet of Things Security Foundation (IoTSF) published freely available standards and guidance on this subject several years ago, https://www.iotsecurityfoundation.org/best-practice-guidelines/

They distinguish between industry and consumer devices because the architecture and connectivity is often very different in nature. It is not subject to any industry ‘bias’ or pressure and I commend it for review and consideration as high quality material.

at the time of publication I was a member of several of their working groups and helped to develop some of that guidance.

Clive Robinson • July 8, 2020 5:38 AM

@ David Alexander,

at the time of publication I was a member of several of their working groups and helped to develop some of that guidance.

It’s nice to see honest disclosure in these things, especially with Security and it’s standards.

Mr. Peed Off • July 8, 2020 10:52 AM

@ David Alexander,

Thank you for the links.

SpaceLifeForm • July 8, 2020 9:04 PM

@ David Alexander

First Rule of Marxism:

Do not join any club that would have you as a member.

IoT Security Principles

Comments

Leave a comment Cancel reply