Reflecting on Michael Hay's article @and the comments that followed, and alarmed by recent reports on the abysmal failure of the auto industry to understand the risks of hacking to automated vehicles, I think it's time to declare a general set of requirements for all IoT devices. Here's the beginning of list. What do you think should be added or deleted?
- The vendor shall provide assurances that all reasonable steps have been taken to assure the security of the device, including third-party review of the code, and vulnerability and penetration testing of each release.
- The vendor shall be held liable for security weaknesses in the product that result in injury, death, or significant financial loss to the user of the equipment.
- The vendor shall maintain a code update mechanism for the devices for the expected lifetime of the product.
- The mechanism should be as automatic as possible.
- The expected product lifetime should be listed prominently in the sales collateral and the packaging of the device. A thermostat or fridge might be expected to operate for 10 years or more. A smart car should be supported for at least 15 years.
- Code should be escrowed in case the manufacturer fails to deliver on this promise, and all title to the escrowed code will be transferred to a non-profit code maintenance organization in that event. (Detailed TBD)
- The vendor will not be held responsible for security weaknesses that were addressed by an update but which were not applied because the customer prevented them from being applied.
- The vendor shall maintain a device management portal in the cloud or provide on-premises tools for customers to determine the revision level of code in their devices, and CVEs addressed by each revision.
- For consumer devices, the vendor shall maintain a public list of known vulnerabilities, and describes the risks and possible mitigations in plain English.
- It shall be possible for customers to easily disconnect devices to from the internet when a serious vulnerability is detected.
- The vendor shall provide or reference tools that can be used to monitor attacks on devices. Ideally, all devices should implement a common logging format for SEIM.
- The vendor shall document the kinds of data sent and received by the device, the reasons why the data is required, the data volumes expected, and the frequency of transmissions. This data can be used to automate the monitoring of devices for unusual behavior.
Tough provisions like these will deter many startups until vendors of SDKs and tools provide complete frameworks for product development and ongoing support.
How would these requirements change auto design, or fridge design? Frankly, they wouldn't have a clue how to go about this (except perhaps for Tesla.)