A leading industry standards community has published its first guidelines for the testing of IoT security products, in a bid to drive independent benchmarking and certification efforts.
AMTSO board member, Vlad Iliushin, argued that this is a currently under-served space, meaning users still don’t have good enough visibility into the pros and cons of products on the market.
“The testing of IoT security solutions is quite different from anti-malware testing as they need to protect a huge variety of different smart devices in businesses and homes, so the setup of the test environment can be challenging,” he added.
“Also, as smart devices mostly are primarily run on Linux, testers have to use specific threat samples that these devices are vulnerable to in order to make their evaluations relevant. With our guidelines, we addressed these particularities, hoping that they provide valuable guidance that can set the direction in fair IoT security testing.”
The guidelines cover six key areas:
- General principles that all tests and benchmarks focus on validating end results and performance rather than back-end functionality
- Sample selection, involving guidance for challenges with choosing the right samples for IoT security solution benchmarking
- Determination of “detection”, as IoT security solutions work differently from traditional cybersecurity products when it comes to detections and actions taken
- Test environment, including advice for testers who choose not to execute in a controllable environment using real devices
- Testing of specific security functionality in different attack stages such as reconnaissance, initial access and execution
- Performance benchmarking
Mike Parkin, senior technical engineer at Vulcan Cyber, argued that IoT devices are difficult to patch, meaning they rely on external security tools to help protect the attack surface.
“With AMTSO’s guidelines, organizations can get a better understanding of what tools are most effective and best suited to their environment,” he added.
“This follows various other testing standards for anti-malware, anti-virus and firewalls. How effective the new standard will be in practice remains to be seen, but it is a good starting point.”