Do you need security standards that can be used to evaluate or design IoT Endpoints?
Answers are coming!
There is an often repeated story arc that security, risk, audit and industry standards proceed through in their early development.This occurs in an organic manner responding to market forces. Once demand for guidance reaches a critical mass someone takes the first step and puts stakes in the ground. This puts forward an “best effort” to fill the guidance vacuum (perceived or real), and relieves the pressure to “get it right” that inhibits parties from rapid action. There is reputational risk and heavy lifting that is taken on by early movers, but once a credible attempt is made it unlocks barriers to participation and progress. In effect this enables a transition to broad discussion and successive refinement. Operating system hardening, PCI/PHI protection and cloud security all followed a similar story arc in their early days.
Here in late 2017 this trigger point has been reached for IoT Endpoint security.
In July of 2017, Underwriters Laboratories (UL) began publishing the UL 2900 series “Software Cybersecurity for Network-Connectable Products” and which has been extended with supplements for biomedical, industrial control and life safety systems. This is resulting in a number of collaborative efforts including partnerships with ANSI, other standards bodies and industry.
This is not to say that any of these groups were waiting for someone to act. Many organization have been working on IoT Endpoint security standards for quite some time, but once someone publishes these efforts change. This shift results in across the board increases in efficiency and an acceleration in progress for all parties.
If you need to design or evaluate IoT Endpoint or Gateway security, the key takeaways are:
- Credible (and testable) IoT Endpoint security standards are available now.
- 2018 will see a number of complimentary standards published across industry and geopolitical boundaries.
- Organizations should expect suppliers to be aware of these these standards, and able to discuss compliance (or gaps).
As always, please share comments, insights and additional information below.
Here are some resources:
- UL 2900 Standards Process and UL Cybersecurity Assurance Program
- FDA Recognizes UL 2900-1
- BD Establishes Product Security Partnership Program to Enhance Cybersecurity of Medical Technology