Expanding CISA’s Security Guidance Beyond OT/ICS: A Holistic Approach to IoT Security

In our previous post, we explored CISA's product security bad practice guidance and its critical importance for operational technology (OT) and industrial control systems (ICS). While these recommendations were primarily focused on critical infrastructure, their principles are equally vital for the broader Internet of Things (IoT) ecosystem. In this blog, we’re going to apply those same security practices across the entire IoT landscape, creating a more comprehensive and robust security framework.

Adapting CISA’s Core Principles for IoT

Product Properties in the IoT Context

The IoT ecosystem presents unique challenges when implementing CISA's product property recommendations. Memory-unsafe languages, particularly prevalent in IoT firmware, require special attention. Finite State's approach extends beyond simple identification of unsafe code, implementing automated analysis tools that can detect potential memory safety issues across diverse IoT architectures and platforms.

Product Properties

1. Development in Memory Unsafe Languages

In the broader IoT ecosystem, memory safety vulnerabilities can cascade through interconnected systems. A memory vulnerability in device firmware might compromise data exchanged with cloud portals and mobile applications, making the adoption of memory-safe languages crucial for the entire connected infrastructure.

2. Inclusion of User-Provided Input in SQL Query Strings

SQL injection risks are particularly relevant for cloud-based management portals and backend databases managing IoT devices. Proper input sanitization and parameterized queries are essential, as a single vulnerability could affect thousands of connected devices.

3. Presence of Default Passwords

Default password management becomes more complex in cloud-connected IoT systems. While forcing password changes during initial setup is straightforward, managing credentials across distributed systems requires careful consideration of user experience and security.

4. Presence of Known Exploited Vulnerabilities

Managing known vulnerabilities across an IoT ecosystem requires comprehensive scanning and patching strategies. This includes regular vulnerability assessments of cloud services, mobile applications, and backend systems.

5. Presence of Open Source Software with Known Exploitable Vulnerabilities

Open source vulnerabilities within backend systems can facilitate lateral movement across the network. Maintaining an SBOM and ensuring the integrity of open-source components becomes crucial when managing a complex IoT ecosystem.

{{cta('186741546866')}}

Security Features

1. Lack of Multifactor Authentication

MFA becomes critical for cloud-based portals and mobile apps managing IoT fleets. While individual devices might have limited MFA capabilities, the management interfaces controlling these devices must implement robust authentication mechanisms.

2. Lack of Capability to Gather Evidence of Intrusions

Cloud-based systems must provide comprehensive logging facilities to enable correlation of events across different parts of the ecosystem. This becomes essential for detecting and responding to security incidents affecting multiple connected devices. Collection of logs from end devices may be more problematic.

Organizational Processes and Policies

1. Failing to Publish Timely CVEs with CWEs

In the broader IoT landscape, timely CVE publication enables the entire software supply chain—cloud platforms, mobile app developers, and system integrators—to understand and manage risk effectively.

2. Failing to Publish a Vulnerability Disclosure Policy

A comprehensive vulnerability disclosure policy must extend to all components of the IoT ecosystem, ensuring that security researchers can report issues in any part of the system, from device firmware to cloud infrastructure.