IoT cybersecurity requirements: Same but different

In my doctoral thesis, “Transparent and tool-driven security assessment for sustainable IoT cybersecurity”, I compare 16 IoT security requirement specifications. The goal was to see if there is consensus on the IoT security requirements or if each specification defines its own requirements. 

The conclusion was that there are common high-level requirement categories:

1. Security design: design security into the IoT system as security is not an add-on

2. Interface security: harden the system at the system boundary

3. Authentication: authenticate users and components

4. Data protection: protect critical data in transit and rest

5. System updates: update to mitigate exposed vulnerabilities

However, despite the high-level categories, the actual requirements vary significantly between specifications. This is bad news for anyone who needs to support requirements from different sources; each source will likely add new requirements. In the study, up to 23% of requirements were unique for a specification, and 74% of requirements were present in 1-5 specifications only.

Unification of IoT security requirements is needed, and introducing new ones should be discouraged. Indeed, the trend seems to be widening the use of existing requirement standards rather than creating new ones. For example, the EU Cyber Resilience Act (CRA) intends to embrace existing standards.

At Test of Things, we tackle the problem of heterogeneous IoT security requirements by analysing the similarities and differences between the requirements and providing mapping so that our customers can cover multiple standards without duplicate work.