Internet of Things Security: What Does “Best Practice” Actually Mean?

Presented by Chris Bellman as a part of the 2020 Serene-risc Workshop on The State of Canadian Cybersecurity Conference: Human-Centric Cybersecurity

About the presentation

Recently, best practices for Internet of Things (IoT) security have shown to be of interest to government and industry organizations. Academic research has highlighted a failure to follow established security practices, and suggested a surprising lack of understanding of what “best practice” means. Desired security outcomes are commonly conflated with practices to achieve those outcomes, as evidenced by published guidelines. How do best, good, and standard practices differ? What are the differences between guidelines, recommendations, and requirements? Can something be a best practice if it is not “actionable”? After analyzing and categorizing a set of 1014 IoT security advice items from industrial, government, and academic sources, we find that about 70% of advice relates to the early IoT device lifecycle stages, highlighting the critical position of manufacturers in addressing security issues. Only about 9% of analyzed advice meets our definition of “best practice”. Our findings suggest that common terminology is a foundational and beneficial step in building and discussing security advice. We hope that this presentation highlights currently flawed terminology usage, and that our work provides a basis for the community to build on in order to better understand best practices, identify and reach consensus on specific practices, and then find ways to motivate relevant stakeholders to follow them.

About the speaker

Christopher Bellman is a PhD student at Carleton University in Ottawa, Canada. His area of study is security and privacy for the Internet of Things (IoT). Current research topics include understanding the role best practices and design principles play in the building of secure consumer-grade IoT devices, and the unique identification of IoT devices.