IoT Trust Framework: The foundation for future IoT certification programs

The Online Trust Alliance (OTA) released its updated IoT Trust Framework. Serving as a product development and risk assessment guide for developers, purchasers and retailers of Internet of things (IoT) devices, the Framework is the foundation for future IoT certification programs.

IoT Trust Framework

OTA’s goal is to highlight devices and companies that demonstrate a commitment to device lifecycle security and embrace responsible privacy practices. Such notifications and disclosures will aid consumers to make informed IoT device purchasing decisions.

OTA recognizes that while there is no perfect security, companies that apply the Framework principles should be shielded from regulatory oversight and class action suits, and potentially realize lower insurance premiums. The updated Framework reflects input from hundreds of leading security and privacy industry leaders including ADT, Microsoft, SiteLock, Symantec, TRUSTe, Verisign and others. This newest Framework builds on the first version released in March 2016, and incorporates a broad range of public and private efforts to secure IoT devices.

“I have long supported multi-stakeholder processes to address the significant cybersecurity challenges facing our nation,” said Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus. “Recent attacks leveraging IoT devices have only highlighted the need for the work of organizations like OTA. It is essential that companies manage the cybersecurity risk of their IoT devices, applications, and services, and the IoT Framework provides clear principles that developers can use to mitigate risk and protect their customers.”

OTA researchers integrated IoT security and privacy recommendations from U.S. government agencies including the Department of Commerce, Department of Homeland Security (DHS), Federal Communications Commission (FCC) and Federal Trade Commission (FTC). In addition OTA incorporated several key recommendations advocated by organizations including the Broadband Internet Technical Advisory Group (BITAG), Center for Democracy & Technology (CDT), Consumer Federation of America (CFA), Consumer Technology Association (CTA), I am The Cavalry, International Telecommunications Union (ITU), Internet Society and National Association of Realtors (NAR).

IoT Trust Framework categories

The IoT Trust Framework includes 37 principles, segmented into four key categories:

Security (1-9) – Applicable to any device and their applications and backend cloud services. These include embracing a rigorous software development security process, adhering to security principles for data stored and transmitted by the device, supply chain management, penetration testing and vulnerability reporting programs. Further principles outline the requirement for lifecycle security patching.

User access & credentials (10-14) – Requiring encryption of all passwords and usernames, shipping devices with unique passwords, implementing generally accepted password reset processes and integrating mechanisms to help prevent “brute” force login attempts.

Privacy, disclosures & transparency (15-30) – Requirements consistent with generally accepted privacy principles including prominent disclosures on packaging, point of sale and/or posted online. Provide the capability to reset devices to factory settings and be in compliance with applicable regulatory requirements, including but not limited to the EU General Data Protection Regulation (GDPR) and Children’s Online Privacy Protection Act (COPPA). Require disclosures about the impact to product features or functionality if connectivity is disabled.

Notifications & related best practices (31-37) – Key to maintaining device security is having mechanisms and processes to promptly notify a user of threats and action(s) required. Principles include requiring email authentication for security notifications and that messages must be written clearly for users of all ages and reading levels. In addition, tamper proof packaging and accessibility requirements are highlighted.

“The IoT Trust Framework is a good example of the security culture that is needed in the connected devices space,” said Olaf Kolkman, Chief Internet Technology Officer for the Internet Society.“ If companies are in the business of selling smart devices, they need to implement the requirements outlined in this framework before calling them “smart.”

“Symantec has helped protect over a billion IoT devices so far, but unfortunately, the vast majority of new IoT devices lack proper security fundamentals when they come to market,” said Brian Witten, co-chair of the IoT working group and senior director of Symantec Research Labs. “The OTA IoT Trust Framework provides device manufacturers with the appropriate guidelines to build in security and ensure that consumers are protected from day one. We are happy to see the Online Trust Alliance’s commitment to aligning the industry on IoT security requirements.”