To get a clear view of your security goals and requirements it is very useful to categorize your project into one of four target environments.
1. Security in depth is helpful but not required
In this environment, there are no major privacy, financial or safety concerns… or these concerns are minor and will not lead to painful fines, liabilities and customer satisfaction issues.
a) Hobbyists, Casual Applications, Non-Critical Applications, etc.
This is the least demanding security environment, but that doesn’t mean security is inconsequential. If personal data is stored in or accessible by your system and/or your system can create a safety problem, then good security will be needed to ensure the system is not compromised and exploited.
2. Security in depth is needed but requirements may not be clear
Often, security is a “suggestion” in market segments in this environment. A good security checklist is not always available to firmly guide you, so you’ll need to do strong analysis to make your product secure. There may be safety and financial concerns depending on the device’s function in a home or mobile consumer device. The new GDPR laws in Europe requires that privacy be taken very seriously.
a) Consumer IoT
In many cases, a compromised consumer IoT system can be used by attackers to steal personal data (credit cards, contact information, license keys, photos, etc.). If the compromised system has a camera and/or microphone, it may be used to illegally surveil a household or business. Consumer IoT devices may have important safety requirements. If the security of a device is compromised, it is a fair bet that that device’s safety is questionable. Lastly, a recall on consumer devices due to a large-scale cyberattack could be a financial disaster for your product – or at least a very expensive event. Consumer IoT devices must be survivable and remotely recoverable without the need for physical service intervention.
3. Security in depth is needed – the requirements are strong and sometimes clear
This environment has very strong security requirements. Some of the market sectors in this environment communicate and regulate these requirements very efficiently (e.g. PCI DSS, FISMA, HIPAA, etc.). Vendors in these market sectors often struggle to understand and implement those requirements.
Financial systems have lots of regulations (PCI DSS, etc.). Financial losses and the loss of financially sensitive data are universally viewed to be a disaster.
The United States government passed the “Federal Information Security Management Act” in 2002. The US NIST document that is the backbone of FISMA compliance is SP 800-37. Other governments have similar laws and standards to support them. FISMA applies to government agencies, products supplied to government agencies and critical infrastructure in the US. Defense projects have even stronger requirements in their “Request for Proposals” (RFPs).
c) Critical Infrastructure
Critical infrastructure (water, power generation and distribution, sewage, transportation, law enforcement, etc.) require the same security as the government systems (see FISMA above). Essentially, these products should be designed with the highest security for worldwide dissemination.
d) High Value Assets (Industrial Equipment, etc.)
Industrial Internet of Things (IIoT) devices are usually very valuable. They have a long lifecycle, must be continuously available, and must remain safe and reliable. The great value of Industrial IoT devices and the safety concerns that accompany them mandate extremely strong security. Their long lifecycles predicate that forethought be put into their security design to allow them to be adapted to future security threats (e.g. they’ll need to be upgradeable to next generation quantum resistant cryptography to protect them against rapidly emerging quantum computers)
If your system is handling healthcare information, there are lots of regulations you must follow (HIPAA, etc.). The protection of health records and information is a critical security function with substantial associated liability. It’s time to take the next step in security, enable field software updates, etc.
f) Networking and Storage Equipment
The networking and storage peripherals that connect all our computing devices and store our data are often as sophisticated as the computers they serve. These devices are the backbone of our vast computing infrastructure. If they are compromised they can be used to snoop private communications, deny critical services, steal valuable and private data, etc. They are probably best described as industrial IoT devices in that they have very high security requirements and are shipped as “computer appliances”.
g) Agriculture, Mining, Drilling, etc.
These market sectors are becoming more and more automated. If operational problems or safety problems occur financial losses, injury, environmental disaster, etc. can occur.
4. More mature security markets - mixed security environments
The need for strong security is well-established in servers. The implementation and quality of that security varies widely. The journey to defense in depth continues in this market segment as these devices come under massive cybersecurity attack every day.
b) Notebook and Desktop Computers
The need for strong security is almost as well-established for personal computers as it is for servers and, as with servers, the implementation and quality of that security varies widely. Increasingly, these devices are dealing with the advanced security requirements of digital right management for video and audio content, online financial transactions, etc. The protection of privacy and valuable digital content is a major issue with these devices, but systems are often configured and customized by a large supply chain of vendors and no one entity (aside from the final customer) controls the final security of the system.
c) Mobile Computing Devices
Cell phones, tablets, etc. run the full security spectrum. There are applications running on these devices which control personal finances and need the highest security. Privacy is a major concern with these devices – there have been many high-profile privacy issues since these devices came to market. There are also lots of applications on these devices that do common or entertaining things there are of no great security concern (e.g. alarm clocks, flashlights, simple games, etc.).
If your product is in environment 1 (Security in depth is helpful but not required), your life is pretty easy. Enjoy!
If your product is in environment 2 (Security in depth is needed but requirements may not be clear), you need to move past what you are required to do and start thinking about what you need to do to avoid the very painful business consequences of a serious security breach.
If your product is in environment 3 (Security in depth is needed – the requirements are strong and sometimes clear), you’ve got strong or very strong security needs. Don’t assume they’re all covered. Do a close analysis and make sure you’re building a truly secure system that can survive the product lifecycle.