skip to main content
research-article

Security Best Practices: A Critical Analysis Using IoT as a Case Study

Published:13 March 2023Publication History
Skip Abstract Section

Abstract

Academic research has highlighted the failure of many Internet of Things (IoT) product manufacturers to follow accepted practices, while IoT security best practices have recently attracted considerable attention worldwide from industry and governments. Given current examples of security advice, confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. We explore a surprising lack of clarity, and void in the literature, on what (generically) best practice means, independent of identifying specific individual practices or highlighting failure to follow best practices. We consider categories of security advice, and analyze how they apply over the lifecycle of IoT devices. For concreteness in discussion, we use iterative inductive coding to code and systematically analyze a set of 1,013 IoT security best practices, recommendations, and guidelines collated from industrial, government, and academic sources. Among our findings, of all analyzed items, 68% fail to meet our definition of an (actionable) practice, and 73% of all actionable advice relates to the software development lifecycle phase, highlighting the critical position of manufacturers and developers. We hope that our work provides a basis for the community to better understand best practices, identify and reach consensus on specific practices, and find ways to motivate relevant stakeholders to follow them.

REFERENCES

  1. [1] Acar Yasemin, Stransky Christian, Wermke Dominik, Weir Charles, Mazurek Michelle L., and Fahl Sascha. 2017. Developers need support, too: A survey of security advice for software developers. In Cybersecurity Development (SecDev). IEEE, 2226.Google ScholarGoogle Scholar
  2. [2] Akerlof George A.. 1970. The market for “lemons”: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84, 3 (1970), 488500.Google ScholarGoogle ScholarCross RefCross Ref
  3. [3] (AIOTI) Alliance for Internet of Things Innovation. 2015. Report: Working Group 4—Policy. https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG04Report2015-Policy-Issues.pdf.Google ScholarGoogle Scholar
  4. [4] (AIOTI) Alliance for Internet of Things Innovation. 2016. AIOTI Digitisation of Industry Policy Recommendations. https://aioti.eu/wp-content/uploads/2017/03/AIOTI-Digitisation-of-Ind-policy-doc-Nov-2016.pdf.Google ScholarGoogle Scholar
  5. [5] (AIOTI) Alliance for Internet of Things Innovation. 2016. Report on Workshop on Security and Privacy in the Hyper-connected World. https://aioti-space.org/wp-content/uploads/2017/03/AIOTI-Workshop-on-Security-and-Privacy-in-the-Hyper-connected-World-Report-20160616_vFinal.pdf.Google ScholarGoogle Scholar
  6. [6] Alrawi Omar, Lever Chaz, Antonakakis Manos, and Monrose Fabian. 2019. SoK: Security evaluation of home-based IoT deployments. In IEEE Symp. Security and Privacy. IEEE, 13621380.Google ScholarGoogle Scholar
  7. [7] Alrawi Omar, Lever Charles, Valakuzhy Kevin, Court Ryan, Snow Kevin, Monrose Fabian, and Antonakakis Manos. 2021. The circle of life: A large-scale study of the IoT malware lifecycle. In USENIX Security Symp.USENIX, 35053522.Google ScholarGoogle Scholar
  8. [8] Assal Hala and Chiasson Sonia. 2018. Security in the software development lifecycle. In Symp. on Usable Privacy and Security (SOUPS). USENIX, 281296.Google ScholarGoogle Scholar
  9. [9] AT&T. 2016. The CEO’s Guide to Securing the Internet of Things. https://www.business.att.com/cybersecurity/docs/exploringiotsecurity.pdf.Google ScholarGoogle Scholar
  10. [10] Centre Australian Department of Home Affairs and Australian Cyber Security. 2020. Code of Practice—Securing the Internet of Things for Consumers. https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf.Google ScholarGoogle Scholar
  11. [11] Bellman Christopher. 2022. cb1,013-dataset. https://github.com/ChristopherBellman/SecurityAdvice/blob/main/cb1013-dataset-TOPS.json.Google ScholarGoogle Scholar
  12. [12] Bishop Matt. 2003. Computer Security: Art and Science. Addison-Wesley.Google ScholarGoogle Scholar
  13. [13] Boley Harold, Meier Micha, Moss Chris, Richter Michael M., and Voronkov A. A.. 1991. Declarative and procedural paradigms - do they really compete?. In International Workshop on Processing Declarative Knowledge. Springer, 383398.Google ScholarGoogle Scholar
  14. [14] (BITAG) Broadband Internet Technical Advisory Group. 2016. Internet of Things (IoT) Security and Privacy Recommendations. http://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf.Google ScholarGoogle Scholar
  15. [15] CableLabs. 2017. A Vision for Secure IoT. https://www.cablelabs.com/insights/vision-secure-iot/.Google ScholarGoogle Scholar
  16. [16] Things City of New York (NYC) Guidelines for the Internet of. 2019. Privacy + Transparency. https://iot.cityofnewyork.us/privacy-and-transparency/.Google ScholarGoogle Scholar
  17. [17] Things City of New York (NYC) Guidelines for the Internet of. 2019. Security. https://iot.cityofnewyork.us/security/.Google ScholarGoogle Scholar
  18. [18] (CSA) Cloud Security Alliance. 2015. Security Guidance for Early Adopters of the Internet of Things (IoT). https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf.Google ScholarGoogle Scholar
  19. [19] (CSA) Cloud Security Alliance. 2016. Future-proofing the Connected World: 13 Steps to Developing Secure IoT. https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf.Google ScholarGoogle Scholar
  20. [20] Ltd. Copper Horse2019. Mapping Security & Privacy in the Internet of Things. https://iotsecuritymapping.uk/wp-content/uploads/Mapping-of-Code-of-Practice-to-recommendations-and-standards_v3.json. Version 3 dataset.Google ScholarGoogle Scholar
  21. [21] Corser George, Fink Glenn A., Aledhari Mohammed, Bielby Jared, Nighot Rajesh, Mandal Sukanya, Aneja Nagender, Hrivnak Chris, and Cristache Lucian. 2017. IoT Security Principles and Best Practices. IEEE. https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_feb2017.pdf.Google ScholarGoogle Scholar
  22. [22] Dingman Andrew, Russo Gianpaolo, Osterholt George, Uffelman Tyler, and Camp L. Jean. 2018. Poster abstract: Good advice that just doesn’t help. In 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI). IEEE, 289291.Google ScholarGoogle ScholarCross RefCross Ref
  23. [23] (ETSI) European Telecommunications Standards Institute. 2019. CYBER; Cyber Security for Consumer Internet of Things. https://www.etsi.org/deliver/etsi_ts/103600_103699/103645/01.01.01_60/ts_103645v010101p.pdf.Google ScholarGoogle Scholar
  24. [24] (ETSI) European Telecommunications Standards Institute. 2020. CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645). https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf.Google ScholarGoogle Scholar
  25. [25] (ETSI) European Telecommunications Standards Institute. 2021. CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements (ETSI TS 103 701 V1.1.1). https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf.Google ScholarGoogle Scholar
  26. [26] (ENISA) European Union Agency for Network and Information Security. 2015. Security and Resilience of Smart Home Environments. https://www.ENISA.europa.eu/publications/security-resilience-good-practices.Google ScholarGoogle Scholar
  27. [27] (ENISA) European Union Agency for Network and Information Security. 2017. Baseline Security Recommendations for IoT. https://www.ENISA.europa.eu/publications/baseline-security-recommendations-for-iot.Google ScholarGoogle Scholar
  28. [28] Fagan Michael, Marron Jeffrey, Jr. Kevin G. Brady, Cuthill Barbara B., Megas Katerina N., and Herold Rebecca. 2020. Draft NISTIR 8259C—Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline. NIST.Google ScholarGoogle Scholar
  29. [29] Fagan Michael, Marron Jeffrey, Jr. Kevin G. Brady, Cuthill Barbara B., Megas Katerina N., and Herold Rebecca. 2021. NISTIR 8259B—IoT Non-Technical Supporting Capability Core Baseline. NIST.Google ScholarGoogle Scholar
  30. [30] Fagan Michael, Marron Jeffrey, Jr. Kevin G. Brady, Cuthill Barbara B., Megas Katerina N., Herold Rebecca, Lemire David, and Hoehn Brad. 2020. SP 800-213—IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements. NIST.Google ScholarGoogle Scholar
  31. [31] Fahland Dirk, Lübke Daniel, Mendling Jan, Reijers Hajo, Weber Barbara, Weidlich Matthias, and Zugal Stefan. 2009. Declarative versus imperative process modeling languages: The issue of understandability. In Enterprise, Business-Process and Information Systems Modeling. Springer, 353366.Google ScholarGoogle Scholar
  32. [32] Garcia-Morchon Oscar, Kumar Sandeep S., and Sethi Mohit. 2019. State-of-the-Art and Challenges for the Internet of Things Security. https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-seccons/.Google ScholarGoogle Scholar
  33. [33] Garfinkel Simson, Spafford Gene, and Schwartz Alan. 2003. Chapter 3: Policies and Guidelines. In [34].Google ScholarGoogle Scholar
  34. [34] Garfinkel Simson, Spafford Gene, and Schwartz Alan. 2003. Practical UNIX and Internet Security (3rd edition). O’Reilly Media, Inc.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. [35] Gollmann Dieter. 2011. Computer Security, 3rd Edition. Wiley.Google ScholarGoogle Scholar
  36. [36] al. Paul A. Grassi et2017. SP 800-63B—Digital Identity Guidelines: Authentication and Lifecycle Management. NIST.Google ScholarGoogle Scholar
  37. [37] Association GSM. 2017. IoT Security Guidelines for Endpoint Ecosystems—Version 2.0. https://www.gsma.com/iot/wp-content/uploads/2017/10/CLP.13-v2.0.pdf.Google ScholarGoogle Scholar
  38. [38] Huaman Nicholas, Amft Sabrina, Oltrogge Marten, Acar Yasemin, and Fahl Sascha. 2021. They would do better if they worked together: The case of interaction problems between password managers and websites. In IEEE Symp. Security and Privacy. IEEE, 16261640.Google ScholarGoogle Scholar
  39. [39] Huang Wei, Ganjali Afshar, Kim Beom Heyn, Oh Sukwon, and Lie David. 2015. The state of public infrastructure-as-a-service cloud security. ACM Computing Surveys (CSUR) 47, 4 (2015), 131.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. [40] Foundation IoT Security. 2017. IoT Security Compliance Framework 1.1. https://www.iotsecurityfoundation.org/wp-content/uploads/2017/12/IoT-Security-Compliance-Framework_WG1_2017.pdf.Google ScholarGoogle Scholar
  41. [41] Initiative IoT Security. 2018. Security Design Best Practices. https://www.iotsi.org/security-best-practices.Google ScholarGoogle Scholar
  42. [42] Johnson Erica. 2020. Online Banking Agreements Protect Banks, Hold Customers Liable for Losses, Expert Says. (Feb. 9, 2020). Canadian Broadcasting Corporation. https://www.cbc.ca/news/business/online-banking-agreements-1.5453192.Google ScholarGoogle Scholar
  43. [43] Kang Ruogu, Dabbish Laura, Fruchter Nathaniel, and Kiesler Sara. 2019. “My data just goes everywhere”: User mental models of the internet and implications for privacy and security. In Symposium on Usable Privacy and Security (SOUPS). USENIX, 3952.Google ScholarGoogle Scholar
  44. [44] King Guy. 2000. Best security practices: An overview. In National Information Systems Security Conference. NIST, 12.Google ScholarGoogle Scholar
  45. [45] Kolias Constantinos, Kambourakis Georgios, Stavrou Angelos, and Voas Jeffrey. 2017. DDoS in the IoT: Mirai and other botnets. Computer 50, 7 (2017), 8084.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. [46] Krombholz Katharina, Mayer Wilfried, Schmiedecker Martin, and Weippl Edgar. 2017. “I have no idea what I’m doing”—on the usability of deploying HTTPS. In USENIX Security Symp.USENIX, 13391356.Google ScholarGoogle Scholar
  47. [47] Kruchten Philippe, Nord Robert L., and Ozkaya Ipek. 2012. Technical debt: From metaphor to theory and practice. IEEE Software 29 (2012), 1821.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. [48] Lindsay Greg, Woods Beau, and Corman Joshua. 2016. Smart Homes and the Internet of Things. https://www.atlanticcouncil.org/wp-content/uploads/2016/03/Smart_Homes_0317_web.pdf.Google ScholarGoogle Scholar
  49. [49] McDonald Nora, Schoenebeck Sarita, and Forte Andrea. 2019. Reliability and inter-rater reliability in qualitative research: Norms and guidelines for CSCW and HCI practice. Proc. ACM Hum.-Comput. Interact 3, CSCW (Nov.2019), 123.Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. [50] McGraw Gary. 2006. Software Security: Building Security In (First edition). Addison-Wesley Professional.Google ScholarGoogle Scholar
  51. [51] Microsoft. 2018. Security best practices for Internet of Things (IoT). https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices.Google ScholarGoogle Scholar
  52. [52] Moore Keith, Barnes Richard, and Tschofenig Hannes. July, 2017. Best Current Practices (BCP) for IoT Devices. IETF Internet-Draft (Expired). https://www.ietf.org/archive/id/draft-moore-iot-security-bcp-01.txt.Google ScholarGoogle Scholar
  53. [53] Morgner Philipp and Benenson Zinaida. 2018. Exploring security economics in IoT standardization efforts. In Workshop on Decentralized IoT Security and Standards (DISS). Internet Society, 6.Google ScholarGoogle Scholar
  54. [54] Naiakshina Alena, Danilova Anastasia, Tiefenau Christian, Herzog Marco, Dechand Sergej, and Smith Matthew. 2017. Why do developers get password storage wrong? A qualitative usability study. In ACM CCS. ACM, 311328.Google ScholarGoogle Scholar
  55. [55] NIST. 2001. FIPS PUB 197: Announcing the Advanced Encryption Standard (AES). (2001). US Department of Commerce.Google ScholarGoogle Scholar
  56. [56] NIST. 2020. NIST Releases Draft Guidance on Internet of Things Device Cybersecurity. https://www.nist.gov/news-events/news/2020/12/nist-releases-draft-guidance-internet-things-device-cybersecurity.Google ScholarGoogle Scholar
  57. [57] (OTA) Online Trust Alliance. 2017. IoT Security & Privacy Trust Framework v2.5. https://www.internetsociety.org/wp-content/uploads/2018/05/iot_trust_framework2.5a_EN.pdf.Google ScholarGoogle Scholar
  58. [58] (OWASP) Open Web Application Security Project. 2010. OWASP Secure Coding Practices Quick Reference Guide. https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf.Google ScholarGoogle Scholar
  59. [59] PlainTextOffenders.com. 2021. https://plaintextoffenders.com/.Google ScholarGoogle Scholar
  60. [60] Postel Jon, Rekhter Yakov, and Li Tony. 1995. RFC 1818: Best Current Practices. IETF.Google ScholarGoogle Scholar
  61. [61] Certified PSA. 2019. PSA Certified Level 1 Questionnaire. Critical security questions for chip vendors, OS providers and OEMs. https://www.psacertified.org/app/uploads/2019/02/JSADEN001-PSA_Certified_Level_1-1.0Web.pdf.Google ScholarGoogle Scholar
  62. [62] Redmiles Elissa M., Warford Noel, Jayanti Amritha, Koneru Aravind, Kross Sean, Morales M., Stevens R., and Mazurek Michelle L.. 2020. A comprehensive quality evaluation of security and privacy advice on the web. In USENIX Security Symp.USENIX, 89108.Google ScholarGoogle Scholar
  63. [63] Ross Ron, McEvilley Michael, and Oren Janet Carrier. 2016. SP 800-160 (Vol. 1)—Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1.pdf.Google ScholarGoogle Scholar
  64. [64] Saltzer Jerome H. and Schroeder Michael D.. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 12781308.Google ScholarGoogle ScholarCross RefCross Ref
  65. [65] Sarikaya Behcet, Sethi Mohit, and Garcia-Carrillo Dan. 2019. Secure IoT Bootstrapping: A Survey. (2019). Internet Draft, draft-sarikaya-t2trg-sbootstrapping-05.Google ScholarGoogle Scholar
  66. [66] Shostack Adam and Stewart Andrew. 2008. The New School of Information Security. Pearson Education.Google ScholarGoogle Scholar
  67. [67] al. Abhay Soorya et2018. IoT Security Compliance Framework 2.0. https://www.iotsecurityfoundation.org/wp-content/uploads/2018/12/IoTSF-IoT-Security-Compliance-Framework-Release-2.0-December-2018.pdf.Google ScholarGoogle Scholar
  68. [68] Stoneburner Gary, Hayden Clark, and Feringa Alexis. 2004. SP 800-27 RevA—Engineering Principles for Information Technology Security (A Baseline for Achieving Security). NIST.Google ScholarGoogle Scholar
  69. [69] al Sven Schrecker et. 2016. Industrial Internet of Things Volume G4: Security Framework v1.0. https://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf.Google ScholarGoogle Scholar
  70. [70] Thomas David R.. 2006. A general inductive approach for analyzing qualitative evaluation data. American Journal of Evaluation 27, 2 (Jun.2006), 237246.Google ScholarGoogle ScholarCross RefCross Ref
  71. [71] Tschofenig Hannes and Baccelli Emmanuel. 2019. Cyberphysical security for the masses: A survey of the internet protocol suite for internet of things security. IEEE Security & Privacy 17, 5 (Sep.2019), 4757.Google ScholarGoogle ScholarCross RefCross Ref
  72. [72] (DCMS) UK Government, Department for Digital, Culture, Media & Sport. 2018. Code of Practice for Consumer IoT Security. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf.Google ScholarGoogle Scholar
  73. [73] (DCMS) UK Government, Department for Digital, Culture, Media & Sport. 2018. Mapping of IoT Security Recommendations, Guidance and Standards to the UK’s Code of Practice for Consumer IoT Security. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/774438/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/774438/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf.Google ScholarGoogle Scholar
  74. [74] (NTIA) US National Telecommunications and Information Administration. 2017. Voluntary Framework for Enhancing Update Process Security. https://www.ntia.doc.gov/files/ntia/publications/ntia_iot_capabilities_oct31.pdf.Google ScholarGoogle Scholar
  75. [75] Senate US. 2017. Bill—S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (Bill). https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt.Google ScholarGoogle Scholar
  76. [76] Wortmann Felix and Flüchter Kristina. 2015. Internet of things. Business & Information Systems Engineering 57 (2015), 221224.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Security Best Practices: A Critical Analysis Using IoT as a Case Study

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Privacy and Security
        ACM Transactions on Privacy and Security  Volume 26, Issue 2
        May 2023
        335 pages
        ISSN:2471-2566
        EISSN:2471-2574
        DOI:10.1145/3572849
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 13 March 2023
        • Online AM: 15 September 2022
        • Accepted: 2 September 2022
        • Revised: 21 July 2022
        • Received: 22 September 2021
        Published in tops Volume 26, Issue 2

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!