The first testing guidelines for IoT security devices were announced by the Anti-Malware Testing Standards Organization (AMTSO) on Thursday. The guidelines address the following topics based on feedback from vendors and testers: fundamental testing principles for IoT security products; suggestions for testing environments; testing of particular security functionality; identifying detections; and performance benchmarking for testers.
“Testing IoT security solutions is quite different from anti-malware testing as they need to protect a huge variety of different smart devices in businesses and homes, so the setup of the test environment can be challenging,” said Vlad Iliushin, an AMTSO board member. “Also, as smart devices mostly are primarily run on Linux, testers have to use specific threat samples that these devices are vulnerable to so they can make their evaluations relevant.”
Industry standards like PCI, HIPAA, and SOX are based on security and privacy guidelines, according to Tony Goulding, cybersecurity advocate at Delinea. According to Goulding, it’s critical to safeguard access to IoT devices used in delicate settings.
“With no equivalent set of regulations, the AMTSO guidelines represent a step in the right direction to help IoT vendors test the ability of their products to detect and prevent attacks,” Goulding said. “As a security community, we strive to eliminate or choke vectors of attack that can give adversaries illicit access to our infrastructure, resulting in a data breach, ransomware attack, or taking critical OT infrastructure offline. IoT devices represent additional vectors, increasing our attack surface. Organizations should prioritize IoT products from vendors that have undergone such testing to help ensure such risks are mitigated in their products.”
IoT poses a fast expanding attack surface, stated Bud Broomhead, CEO of Viakoo. Securing vulnerable IoT devices, according to Broomhead, has become crucial for businesses because compromised IoT devices can have catastrophic effects, such as ransomware, data loss, altering the chemical composition of a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.
