< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27403 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics [DRAFT]

Abstract

“This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.”

[Source: FDIS]

Introduction

Setting the standard for information security and privacy of IoT things intended for home use is quite a challenge given the variety of things, homes and living arrangements, security and privacy issues and controls. Rapid innovation and change in this area further complicates matters.

Scope of the standard

“Domotics” was originally known as home automation a.k.a. “smart homes”, where domicile or home is described as “The private, hence highly customizable area where someone lives,  alone or with guests or cohabitants” that “includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment or gaming.”

This cybersecurity standard is aimed squarely at the designers, manufacturers and security/privacy assessors of IoT domotics, rather than the “users” (consumers/retail customers).

It will cover the information security and privacy aspects of device-device interactions (e.g. hubs and subsystems) as well as human-device plus device-sensors/actuators that physically interact with the home, and networking both within the home and beyond (e.g. via Internet gateways).

Content of the standard

The main sections are:

5. Overview of the stakeholders (IoT device manufacturers, service providers, regulatory authorities and users), the lifecycles for IoT domotics developers, service providers and users, an architectural reference model, and an introduction to the ‘security’ (meaning cybersecurity) and privacy aspects.
6. Risk assessment guidelines covering cybersecurity and privacy risks (referring to eight other standards!).
7. ’Security’ and privacy controls.

Annex A: Use cases - six examples of the principles in action.

Annex B: ‘Security’ and privacy concerns of various stakeholders with differing perspectives.

Annex C: Stakeholders’ security and privacy responsibilities.

Annex D: ‘Security measures’ (cybersecurity and privacy controls) for various IoT domotics devices.

Status

 The standard is at Final Draft International Standard stage and may conceivably be published towards the end of 2024.

Personal notes

Whereas “IoT” is a common abbreviation, “domotics” is a neologism derived from domus (Latin for house) and robotics.

Rather than simply recommending a bunch of controls, the standard will describe typical information [security and privacy] risks relating to domotics, and recommend information security controls to mitigate them, making this a risk-based ISO27k standard. Sounds good in theory, although strictly speaking several of the ‘risks’ described in the draft are in fact weak or missing controls, not risks.

Information risks provide the rationale, context or basis for the controls. Helping readers identify and consider the information risks should give them a better appreciation of what the information security controls are meant to achieve - the control objectives. The risks and the controls in the standard are examples to stimulate readers into considering the risks and control objectives in their particular contexts.

Challenges (risks) in the home environment include:

1. Limited information security awareness and competence by most people. IoT things are generally just black-boxes.
2. Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically installed about the home (e.g. smart heating controls, door locks and cat feeders).
3. Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper or constrain their security capabilities.
4. Lack of processes for managing security and privacy systematically at home. If anything, activities tend to be ad hoc/informal and reactive rather than proactive.
5. Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g. entertainment).
6. Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment.
7. Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ... Physically securing things against accidental or malicious interaction is difficult.
8. Limited ability to manage and control IoT device and service supply chains, as well as the installation, configuration, use, monitoring  and maintenance of devices and services, with little if any coordination among the parties.

Given their number, variety and significance, I believe conventional, structured  and systematic information risk management is largely impracticable for domotics: there is way too much to do here! In accordance with the risk-based approach that underpins all the ISO27k standards, the standard prioritises some significant information risks, encouraging IoT device and service providers to play their parts - although even that is difficult since they are only providing parts of a complex and dynamic system. The bigger picture remains of concern.

< Previous standard      ^ Up a level ^      Next standard >