By IOT Journal
The Online Trust Alliance (OTA) released its updated IoT Trust Framework at the 2017 Consumer Electronics Show (CES). Serving as a product development and risk assessment guide for developers, purchasers and retailers of Internet of things (IoT) devices, the Framework is the foundation for future IoT certification programs. OTA’s goal is to highlight devices and companies that demonstrate a commitment to device lifecycle security and embrace responsible privacy practices. Such notifications and disclosures will aid consumers to make informed IoT device purchasing decisions.
Echoing written testimony he recently provided to the U.S. House of Representatives Energy and Commerce Committee, OTA Executive Director and President Craig Spiezle said; “Recent IoT attacks like those which compromised hundreds of thousands of connected devices to take websites like Amazon, Twitter and Netflix offline were just a ‘shot across the bow.’ The next incident could create significant safety issues. While most IoT devices are safe and secure, many still lack security safeguards and privacy controls placing users and the Internet at large are at risk.”
OTA recognizes that while there is no perfect security, companies that apply the Framework principles should be shielded from regulatory oversight and class action suits, and potentially realize lower insurance premiums. The updated Framework reflects input from hundreds of leading security and privacy industry leaders including ADT, Microsoft, SiteLock, Symantec, TRUSTe, Verisign and others. This newest Framework builds on the first version released in March 2016, and incorporates a broad range of public and private efforts to secure IoT devices.
“I have long supported multi-stakeholder processes to address the significant cybersecurity challenges facing our nation,” said Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus. “Recent attacks leveraging IoT devices have only highlighted the need for the work of organizations like OTA. It is essential that companies manage the cybersecurity risk of their IoT devices, applications, and services, and the IoT Framework provides clear principles that developers can use to mitigate risk and protect their customers.”
OTA researchers integrated IoT security and privacy recommendations from U.S. government agencies including the Department of Commerce, Department of Homeland Security (DHS), Federal Communications Commission (FCC) and Federal Trade Commission (FTC). In addition OTA incorporated several key recommendations advocated by organizations including the Broadband Internet Technical Advisory Group (BITAG), Center for Democracy & Technology (CDT), Consumer Federation of America (CFA), Consumer Technology Association (CTA), I am The Cavalry, International Telecommunications Union (ITU), Internet Society and National Association of Realtors® (NAR).
The IoT Trust Framework includes 37 principles, segmented into four key categories:
• Security (1-9)—Applicable to any device and their applications and backend cloud services. These include embracing a rigorous software development security process, adhering to security principles for data stored and transmitted by the device, supply chain management, penetration testing and vulnerability reporting programs. Further principles outline the requirement for lifecycle security patching.
• User Access & Credentials (10-14)—Requiring encryption of all passwords and usernames, shipping devices with unique passwords, implementing generally accepted password reset processes and integrating mechanisms to help prevent “brute” force login attempts.
• Privacy, Disclosures & Transparency (15-30)—Requirements consistent with generally accepted privacy principles including prominent disclosures on packaging, point of sale and/or posted online. Provide the capability to reset devices to factory settings and be in compliance with applicable regulatory requirements, including but not limited to the EU General Data Protection Regulation (GDPR) and Children’s Online Privacy Protection Act (COPPA). Require disclosures about the impact to product features or functionality if connectivity is disabled.
• Notifications & Related Best Practices (31-37)—Key to maintaining device security is having mechanisms and processes to promptly notify a user of threats and action(s) required. Principles include requiring email authentication for security notifications and that messages must be written clearly for users of all ages and reading levels. In addition, tamper proof packaging and accessibility requirements are highlighted.