BSI drafts Internet of Things security recommendations

At last, influential policymakers are slowly becoming aware of the damages unsecured IoT devices can cause. Recent attacks on high profile targets, exploiting cameras and routers, have attracted a lot of attention. Some of the issues will not likely be solved until manufacturers improve the security of their systems. However, many attack vectors could be eliminated easily with appropriate precautionary measures. Currently, the Federal Office for Information Security (BSI) is drafting a new module to address IoT device security. Although it does not refer to specific manufacturers or technologies, the proposal includes concepts for securing IoT devices so that they cannot be manipulated or accessed without authorization to compromise data and IT security within an organization or to target other organizations.

The new IoT module is currently in the community draft stage and is available for user review and commentary from the BSI website as part of its baseline protection advice. Later on, it will be amended to include community feedback. Each module in the baseline protection scheme consists of two parts, the module itself and the implementation notes. The module contains a description of possible risks to IoT devices and requirements for secure operation. The implementation notes describe in more detail what actions can be taken to enforce the required security measures. For example, module SYS.4.4.A5 requires the restriction of network access through restrictive routing configuration for IoT devices and sensors, appropriate signatures with intrusion prevention systems (IPS) and virtual private networks (VPNs) connecting IoT devices, sensor networks and management networks.

In the implementation notes the authors also discuss examples of practical applications. Their recommendations include replacing open ports with non-standard ports if the ports cannot be closed or blocked. Furthermore, they recommend using VLANs and applying sufficiently strong cryptographic methods with VPNs. Measures are categorized into basic measures, standard measures and measures for increased security needs. This makes it easy to separate basic measures from measures requiring more time and money.

There is nothing new in most of the suggestions mentioned in the list. Documenting, hardening, limiting access and similar measures are standard measures every administrator should already be familiar with and which should have become second nature to them. However, on incidents investigated by forensic analysts show that employees are often particularly callous with basic security measures. Many employees in charge of IoT device management are also not IT administrators. For these employees, a short summary (the implementation notes are just over ten pages) of the key aspects is valuable and makes their work easier. Today, even the most advanced security measures can be implemented mostly without technical limitations. In cases where an IoT device does not have enough computing power for a specific security measure, such as running a VPN client there is usually a feasible workaround. NCP’s IoT Gateway pools data streams from local IoT devices and encrypts data before sending it on to its destination. However, before considering advanced measures and applications, it is certainly worth reviewing the system documentation and checking when it was last updated.