< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27403 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics [DRAFT]
“This document provides guidelines to analyze security and privacy risks and identifies controls that need to be implemented in IoT-domotics systems.”
[Source: SC 27 Standing Document 11 (2021)]
Setting the standard for information security and privacy of IoT things intended for home use is quite a challenge given the variety of things, homes and living arrangements, security and privacy issues and controls. Rapid innovation and change in this area further complicates matters.
Scope of the standard
“Domotics” was originally known as home automation a.k.a. “smart homes”, where domicile or home is described as “The private, hence highly customizable area where someone lives, alone or with guests or cohabitants” that “includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment or gaming.”
This cybersecurity standard is aimed squarely at the designers, manufacturers and security/privacy assessors of IoT domotics, rather than the “users” (consumers/retail customers).
It will cover the information security and privacy aspects of device-device interactions (e.g. hubs and subsystems) as well as human-device plus device-sensors/actuators that physically interact with the home, and networking both within the home and beyond (e.g. via Internet gateways).
Content of the standard
- Overview of the stakeholders (IoT device manufacturers, service providers, regulatory authorities and users), the lifecycles for IoT domotics developers, service providers and users, an architectural reference model, and an introduction to the ‘security’ (cybersecurity) and privacy aspects;
- Risk assessment guidelines covering cybersecurity and privacy risks (referring to eight other standards!);
- Cybersecurity and privacy controls;
- Use cases - six examples of the principles in action;
- ‘Security’ and privacy concerns of various stakeholders with differing perspectives;
- Stakeholders’ security and privacy responsibilities;
- Cybersecurity and privacy controls for various IoT domotics devices.
The standard is at 2nd Committee Draft stage.
It is due to be published towards the end of 2023.
While “IoT” is a common abbreviation, “domotics” is a neologism derived from domus (Latin for house) and robotics.
Rather than simply recommending a bunch of controls, the standard will describe typical information [security and privacy] risks relating to domotics, and recommend information security controls to mitigate them, making this a risk-based ISO27k standard. Sounds good in theory, although strictly speaking several of the ‘risks’ described in the draft are in fact weak or missing controls, not risks.
Information risks provide the rationale, context or basis for the controls. Helping readers identify and consider the information risks would give them a better appreciation of what the information security controls are required to achieve. The risks and the controls in the standard are examples to stimulate readers into considering the risks and control requirements in their particular contexts.
Challenges (risks) in the home environment include:
- Limited information security awareness and competence by most people. IoT things are generally just black-boxes.
- Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically installed about the home (e.g. smart heating controls, door locks and cat feeders).
- Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper/constrain their security capabilities.
- Lack of processes for managing security and privacy systematically at home. If anything, activities tend to be ad hoc/informal and reactive rather than proactive.
- Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g. entertainment).
- Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment.
- Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ... Physically securing things against accidental or malicious interaction is difficult.
- Limited ability to manage and control IoT device and service supply chains, as well as the installation, configuration, use, monitoring and maintenance of devices and services, with little if any coordination among the parties.
Given their number, variety and significance, I believe conventional, structured and systematic information risk management is largely impracticable for domotics: there is way too much to do here! In accordance with the risk-based approach that underpins all the ISO27k standards, the standard prioritises some significant information risks, encouraging IoT device and service providers to play their parts - although even that is difficult since they are only providing parts of a complex and dynamic system. The bigger picture remains of concern.
< Previous standard ^ Up a level ^ Next standard >