Abstract
Academic research has highlighted the failure of many Internet of Things (IoT) product manufacturers to follow accepted practices, while IoT security best practices have recently attracted considerable attention worldwide from industry and governments. Given current examples of security advice, confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. We explore a surprising lack of clarity, and void in the literature, on what (generically) best practice means, independent of identifying specific individual practices or highlighting failure to follow best practices. We consider categories of security advice, and analyze how they apply over the lifecycle of IoT devices. For concreteness in discussion, we use iterative inductive coding to code and systematically analyze a set of 1,013 IoT security best practices, recommendations, and guidelines collated from industrial, government, and academic sources. Among our findings, of all analyzed items, 68% fail to meet our definition of an (actionable) practice, and 73% of all actionable advice relates to the software development lifecycle phase, highlighting the critical position of manufacturers and developers. We hope that our work provides a basis for the community to better understand best practices, identify and reach consensus on specific practices, and find ways to motivate relevant stakeholders to follow them.
- [1] . 2017. Developers need support, too: A survey of security advice for software developers. In Cybersecurity Development (SecDev). IEEE, 22–26.Google Scholar
- [2] . 1970. The market for “lemons”: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84, 3 (1970), 488–500.Google Scholar
Cross Ref
- [3] . 2015. Report: Working Group 4—Policy. https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG04Report2015-Policy-Issues.pdf.Google Scholar
- [4] . 2016. AIOTI Digitisation of Industry Policy Recommendations. https://aioti.eu/wp-content/uploads/2017/03/AIOTI-Digitisation-of-Ind-policy-doc-Nov-2016.pdf.Google Scholar
- [5] . 2016. Report on Workshop on Security and Privacy in the Hyper-connected World. https://aioti-space.org/wp-content/uploads/2017/03/AIOTI-Workshop-on-Security-and-Privacy-in-the-Hyper-connected-World-Report-20160616_vFinal.pdf.Google Scholar
- [6] . 2019. SoK: Security evaluation of home-based IoT deployments. In IEEE Symp. Security and Privacy. IEEE, 1362–1380.Google Scholar
- [7] . 2021. The circle of life: A large-scale study of the IoT malware lifecycle. In USENIX Security Symp.USENIX, 3505–3522.Google Scholar
- [8] . 2018. Security in the software development lifecycle. In Symp. on Usable Privacy and Security (SOUPS). USENIX, 281–296.Google Scholar
- [9] . 2016. The CEO’s Guide to Securing the Internet of Things. https://www.business.att.com/cybersecurity/docs/exploringiotsecurity.pdf.Google Scholar
- [10] . 2020. Code of Practice—Securing the Internet of Things for Consumers. https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf.Google Scholar
- [11] . 2022. cb1,013-dataset. https://github.com/ChristopherBellman/SecurityAdvice/blob/main/cb1013-dataset-TOPS.json.Google Scholar
- [12] . 2003. Computer Security: Art and Science. Addison-Wesley.Google Scholar
- [13] . 1991. Declarative and procedural paradigms - do they really compete?. In International Workshop on Processing Declarative Knowledge. Springer, 383–398.Google Scholar
- [14] . 2016. Internet of Things (IoT) Security and Privacy Recommendations. http://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf.Google Scholar
- [15] . 2017. A Vision for Secure IoT. https://www.cablelabs.com/insights/vision-secure-iot/.Google Scholar
- [16] . 2019. Privacy + Transparency. https://iot.cityofnewyork.us/privacy-and-transparency/.Google Scholar
- [17] . 2019. Security. https://iot.cityofnewyork.us/security/.Google Scholar
- [18] . 2015. Security Guidance for Early Adopters of the Internet of Things (IoT). https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf.Google Scholar
- [19] . 2016. Future-proofing the Connected World: 13 Steps to Developing Secure IoT. https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf.Google Scholar
- [20] 2019. Mapping Security & Privacy in the Internet of Things. https://iotsecuritymapping.uk/wp-content/uploads/Mapping-of-Code-of-Practice-to-recommendations-and-standards_v3.json.
Version 3 dataset. Google Scholar - [21] . 2017. IoT Security Principles and Best Practices. IEEE. https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_feb2017.pdf.Google Scholar
- [22] . 2018. Poster abstract: Good advice that just doesn’t help. In 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI). IEEE, 289–291.Google Scholar
Cross Ref
- [23] . 2019. CYBER; Cyber Security for Consumer Internet of Things. https://www.etsi.org/deliver/etsi_ts/103600_103699/103645/01.01.01_60/ts_103645v010101p.pdf.Google Scholar
- [24] . 2020. CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645). https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf.Google Scholar
- [25] . 2021. CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements (ETSI TS 103 701 V1.1.1). https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf.Google Scholar
- [26] . 2015. Security and Resilience of Smart Home Environments. https://www.ENISA.europa.eu/publications/security-resilience-good-practices.Google Scholar
- [27] . 2017. Baseline Security Recommendations for IoT. https://www.ENISA.europa.eu/publications/baseline-security-recommendations-for-iot.Google Scholar
- [28] . 2020. Draft NISTIR 8259C—Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline.
NIST. Google Scholar - [29] . 2021. NISTIR 8259B—IoT Non-Technical Supporting Capability Core Baseline.
NIST. Google Scholar - [30] . 2020. SP 800-213—IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements.
NIST. Google Scholar - [31] . 2009. Declarative versus imperative process modeling languages: The issue of understandability. In Enterprise, Business-Process and Information Systems Modeling. Springer, 353–366.Google Scholar
- [32] . 2019. State-of-the-Art and Challenges for the Internet of Things Security. https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-seccons/.Google Scholar
- [33] . 2003. Chapter 3: Policies and Guidelines.
In [34]. Google Scholar - [34] . 2003. Practical UNIX and Internet Security (3rd edition). O’Reilly Media, Inc.Google Scholar
Digital Library
- [35] . 2011. Computer Security, 3rd Edition. Wiley.Google Scholar
- [36] 2017. SP 800-63B—Digital Identity Guidelines: Authentication and Lifecycle Management.
NIST. Google Scholar - [37] . 2017. IoT Security Guidelines for Endpoint Ecosystems—Version 2.0. https://www.gsma.com/iot/wp-content/uploads/2017/10/CLP.13-v2.0.pdf.Google Scholar
- [38] . 2021. They would do better if they worked together: The case of interaction problems between password managers and websites. In IEEE Symp. Security and Privacy. IEEE, 1626–1640.Google Scholar
- [39] . 2015. The state of public infrastructure-as-a-service cloud security. ACM Computing Surveys (CSUR) 47, 4 (2015), 1–31.Google Scholar
Digital Library
- [40] . 2017. IoT Security Compliance Framework 1.1. https://www.iotsecurityfoundation.org/wp-content/uploads/2017/12/IoT-Security-Compliance-Framework_WG1_2017.pdf.Google Scholar
- [41] . 2018. Security Design Best Practices. https://www.iotsi.org/security-best-practices.Google Scholar
- [42] . 2020. Online Banking Agreements Protect Banks, Hold Customers Liable for Losses, Expert Says. (Feb. 9, 2020).
Canadian Broadcasting Corporation . https://www.cbc.ca/news/business/online-banking-agreements-1.5453192.Google Scholar - [43] . 2019. “My data just goes everywhere”: User mental models of the internet and implications for privacy and security. In Symposium on Usable Privacy and Security (SOUPS). USENIX, 39–52.Google Scholar
- [44] . 2000. Best security practices: An overview. In National Information Systems Security Conference. NIST, 12.Google Scholar
- [45] . 2017. DDoS in the IoT: Mirai and other botnets. Computer 50, 7 (2017), 80–84.Google Scholar
Digital Library
- [46] . 2017. “I have no idea what I’m doing”—on the usability of deploying HTTPS. In USENIX Security Symp.USENIX, 1339–1356.Google Scholar
- [47] . 2012. Technical debt: From metaphor to theory and practice. IEEE Software 29 (2012), 18–21.Google Scholar
Digital Library
- [48] . 2016. Smart Homes and the Internet of Things. https://www.atlanticcouncil.org/wp-content/uploads/2016/03/Smart_Homes_0317_web.pdf.Google Scholar
- [49] . 2019. Reliability and inter-rater reliability in qualitative research: Norms and guidelines for CSCW and HCI practice. Proc. ACM Hum.-Comput. Interact 3, CSCW (
Nov. 2019), 1–23.Google ScholarDigital Library
- [50] . 2006. Software Security: Building Security In (First edition). Addison-Wesley Professional.Google Scholar
- [51] . 2018. Security best practices for Internet of Things (IoT). https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices.Google Scholar
- [52] . July, 2017. Best Current Practices (BCP) for IoT Devices. IETF Internet-Draft (Expired). https://www.ietf.org/archive/id/draft-moore-iot-security-bcp-01.txt.Google Scholar
- [53] . 2018. Exploring security economics in IoT standardization efforts. In Workshop on Decentralized IoT Security and Standards (DISS). Internet Society, 6.Google Scholar
- [54] . 2017. Why do developers get password storage wrong? A qualitative usability study. In ACM CCS. ACM, 311–328.Google Scholar
- [55] . 2001. FIPS PUB 197: Announcing the Advanced Encryption Standard (AES). (2001).
US Department of Commerce. Google Scholar - [56] . 2020. NIST Releases Draft Guidance on Internet of Things Device Cybersecurity. https://www.nist.gov/news-events/news/2020/12/nist-releases-draft-guidance-internet-things-device-cybersecurity.Google Scholar
- [57] . 2017. IoT Security & Privacy Trust Framework v2.5. https://www.internetsociety.org/wp-content/uploads/2018/05/iot_trust_framework2.5a_EN.pdf.Google Scholar
- [58] . 2010. OWASP Secure Coding Practices Quick Reference Guide. https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf.Google Scholar
- [59] . 2021. https://plaintextoffenders.com/.Google Scholar
- [60] . 1995. RFC 1818: Best Current Practices.
IETF. Google Scholar - [61] . 2019. PSA Certified Level 1 Questionnaire. Critical security questions for chip vendors, OS providers and OEMs. https://www.psacertified.org/app/uploads/2019/02/JSADEN001-PSA_Certified_Level_1-1.0Web.pdf.Google Scholar
- [62] . 2020. A comprehensive quality evaluation of security and privacy advice on the web. In USENIX Security Symp.USENIX, 89–108.Google Scholar
- [63] . 2016. SP 800-160 (Vol. 1)—Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1.pdf.Google Scholar
- [64] . 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278–1308.Google Scholar
Cross Ref
- [65] . 2019. Secure IoT Bootstrapping: A Survey. (2019).
Internet Draft, draft-sarikaya-t2trg-sbootstrapping-05. Google Scholar - [66] . 2008. The New School of Information Security. Pearson Education.Google Scholar
- [67] 2018. IoT Security Compliance Framework 2.0. https://www.iotsecurityfoundation.org/wp-content/uploads/2018/12/IoTSF-IoT-Security-Compliance-Framework-Release-2.0-December-2018.pdf.Google Scholar
- [68] . 2004. SP 800-27 RevA—Engineering Principles for Information Technology Security (A Baseline for Achieving Security).
NIST. Google Scholar - [69] . 2016. Industrial Internet of Things Volume G4: Security Framework v1.0. https://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf.Google Scholar
- [70] . 2006. A general inductive approach for analyzing qualitative evaluation data. American Journal of Evaluation 27, 2 (
Jun. 2006), 237–246.Google ScholarCross Ref
- [71] . 2019. Cyberphysical security for the masses: A survey of the internet protocol suite for internet of things security. IEEE Security & Privacy 17, 5 (
Sep. 2019), 47–57.Google ScholarCross Ref
- [72] . 2018. Code of Practice for Consumer IoT Security. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf.Google Scholar
- [73] . 2018. Mapping of IoT Security Recommendations, Guidance and Standards to the UK’s Code of Practice for Consumer IoT Security. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/774438/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/774438/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf.Google Scholar
- [74] . 2017. Voluntary Framework for Enhancing Update Process Security. https://www.ntia.doc.gov/files/ntia/publications/ntia_iot_capabilities_oct31.pdf.Google Scholar
- [75] . 2017. Bill—S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (Bill). https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt.Google Scholar
- [76] . 2015. Internet of things. Business & Information Systems Engineering 57 (2015), 221–224.Google Scholar
Cross Ref
Index Terms
Security Best Practices: A Critical Analysis Using IoT as a Case Study
Recommendations
Critical analysis of the layered and systematic approaches for understanding IoT security threats and challenges
AbstractAs an emerging technology, the Internet of Things (IoT) is revolutionizing the global economy and society. The wide adoption of IoT opens up new security and privacy challenges as well. Building efficient, secure IoT systems need a ...
Graphical abstractDisplay Omitted
Highlights- Nonuniform layered IoT architectures raise critical challenges in security analysis.
IoT security: challenges and solutions for mining
ICC '17: Proceedings of the Second International Conference on Internet of things, Data and Cloud ComputingThe Internet of Things (IoT) paradigm with its vast range of heterogeneous connecting technologies heralds a new era for internet research, especially given that this explosion in connectivity for devices or `things' is not without risk. Scholars ...
Negotiating "best practices" in package software implementation
Package software is often marketed with the promise of offering cutting-edge ''best practices''. However, questions remain as to how diverse groups in an organization arrive at a consensus about what constitutes as ''best practices'' in package software ...






Comments