Hundreds of initiatives have been launched over the past several years to tackle the issue of internet-of-things security in the design phase for devices. AgeLight Advisory Group Managing Director Craig Spiezle spent the time to review more than 1,500 documents to see what those initiatives hoped to achieve.

AgeLight has released the fruits of Spiezle’s work in the form of the IoT Safety and Trust Design Architecture and Risk Toolkit. The toolkit seeks to achieve three primary goals: to guide and drive industry into self-regulation, to promote high-value privacy and security practices, and to deliver trustworthy devices to the marketplace.

During an online presentation of the toolkit, Spiezle said there has been a surge of IoT devices on the market, and since he has been president and chairman of the Online Trust Alliance, Spiezle and multiple stakeholders sought to address three dimensions of the IoT ecosystem: the physical devices, the cloud services behind them, and any associated apps.

“It’s important to look at all three of these combined because each one becomes an attack vector to exploit the device, the user and the data,” Spiezle said during the presentation.

Spiezle worked to create the toolkit by distilling the documents from those initiatives into one resource. Pulling the most important attributes from those initiatives helped address concerns developers and manufacturers continuously faced, as many initiatives had conflicting goals and messages.

“All of these efforts have created a tremendous amount of confusion that has given the industry a good excuse for not advancing forward at times, and that does serve any of our benefits,” Spiezle said. “If we share this version of a trustworthy internet and realize all the benefits to society, we need to move off our position and think about the developers, manufacturers and vendors we are trying to influence.”

Within the toolkit are 45 principles Spiezle and his team felt best represented a summation of what the initiatives hoped to achieve. Companies can use these principles to help create devices with the proper privacy, security and safety measures needed for a successful product. Organizations can also use the principles when determining products they may wish to buy.

The principles are divided into four categories: security by design; user identity and authentication; privacy, disclosure and transparency; and related safety, privacy and usability enhancing principles. 

Examples of the principles include “ensure privacy, security, and support policies are easily discoverable and readily available for review before purchase or enrollment” and “disclose the data retention policy.” Under each one of the 45 principles is a note further explaining what companies should do to follow the principle.

Companies are given six categories to score the importance they wish to give each principle: user benefit; the impact to the ecosystem; the financial and importance impact; “hazardization,” or the physical safety risk; develop costs and time to market; and regulatory and liability risks.

When scoring off these six categories, companies have to self-assess their risk tolerance for each principle. Based on the category, they will put a 1 or a 10 depending on how important implementing the principle is for their product.

For example, one of the principles states devices must not ship with default passwords or user credentials. Under the user-benefit category, if a company feels it is absolutely necessary to ensure that happens, they will put a 10 next to that section.

The toolkit allows users to see whether each one of the principles is referenced by the EU General Data Protection Regulation, the EU Agency for Network and Information Security, the NIST framework, the Federal Trade Commission, and the U.K. Secure by Design initiative.

Spiezle said having those five listed out gives companies another resource to see if one of the principles is necessary for their product. Cycling back to the password principle, strong authentication is referenced by all five, meaning companies will be more likely to make that a feature.

As regulation evolves, Spiezle said AgeLight will update the toolkit either on a monthly or quarterly basis. AgeLight will set up subscription services and offer free downloads to organizations planning to integrate such risk-foundation criteria into their processes, which is just one of their goals for the toolkit.

“One of the things that we found to be a good group exercise is to have individual developers and product owners go through it and then bring it together. It really can foster positive discussions and respect debate to bring that to light, and that’s the goal here is at the end of the day is to provide this utility and risk assessment to prioritize and then make a decision,” Spiezle said.