The turbulent waters of the internet of things (IoT) will soon become more navigable — thanks to the recently adopted ISO/IEC 30141 standard, which defines reference architecture for IoT solutions. For our part, Kaspersky has been actively involved in the development of trust principles for IoT devices as laid out by the ISO/IEC TS 30149:2024 specification. Let’s use this example to explore why we need standards at all, what can be standardized in the IoT, and why IoT devices and their manufacturers must prove that they’re worthy of consumer trust.
Why we need standards
If you’re already familiar with the basic principles of standardization in electronics, feel free to skip ahead to the next section.
When you plug your smartphone’s charger into a hotel wall socket while on vacation, dozens of international standards are invisibly at play. Chargers are manufactured in accordance with IEC 60335-1:2020, which deals with the electrical safety of household appliances; plug shapes are governed by IEC 60906-1:2009 and its derivatives (such as CEE 7/16); and the supplied voltage itself is regulated by IEC 60038:2009+A1:2021. Widespread standardization has greatly simplified our lives: most countries worldwide use the same types of electrical appliances, barcodes on product packaging, and units of weight, length, and speed. In turn, unified approaches to controlling harmful substances in products, insulating and earthing household appliances, medication dosages, and traffic-sign coloring have massively improved safety and streamlined goods’ certification and testing.
The International Electrotechnical Commission (IEC) summarizes the benefits of standardization as follows. Standards:
- Enable different products to interoperate
- Are used in testing and certification to verify that manufacturers deliver on their promises
- Contain technical details for inclusion in country-specific regulations
- Simplify international trade
There are quite a few standardization bodies in existence — some regional, some industrial, some technical-field-specific. Besides the aforementioned IEC, there are, for example, the Internet Engineering Task Force (IETF) — responsible for developing internet standards; the American National Standards Institute (ANSI) — which issues standards for the US market; and the most universal of them all — the International Organization for Standardization (ISO). Where their areas of responsibility overlap, these bodies often collaborate to develop common recommendations. For example, electrical engineering standards are typically prefixed ISO/IEC.
Note that manufacturer compliance with any standard is voluntary. However, individual countries may prohibit the sale of, say, electrical appliances that don’t comply with local or international standards.
Standards for smart technology
Standards can describe not only the features of a finished product, but also how to manufacture it — addressing both hardware and software aspects. Therefore, the recently adopted ISO/IEC 30141:2024, which describes the architecture of IoT-related devices and services, is a logical — and long overdue — addition to the standards portfolio. Standardization based on this specification addresses several pressing issues:
- Wireless sensors and the hubs they interact with will use the same protocols so that equipment from different vendors can interoperate in homes and within companies.
- Standardized internet communications for IoT devices will reduce user dependence on the manufacturer (vendor lock-in), and eliminate situations where a server shutdown turns your smart home into a pumpkin — Cinderella-style.
- A standardized approach to IoT-solution development will enable the use of more mature implementations of communication protocols. Furthermore, standard outline mandatory security measures and their implementation in both hardware and software aspects of devices. All of this will cut the number of IoT devices harboring glaring security issues (1, 2, 3, 4).
An important complement to IEC 30141 was the ISO/IEC TS 30149:2024 specification, released in May, which lays out principles for IoT trustworthiness. The document answers the question of how to prove that an IoT device is secure (rather than just relying on the vendor’s claims) — and Kaspersky helped develop it.
Five aspects of verifiable security
The key concept of the document is trustworthiness, which differs from trust. Trust is based on assumptions, some of which may be true and based on observable properties (“made of metal”), while others may be unfounded (“doesn’t contain secret backup passwords”). According to the specification, trustworthiness is the verifiable ability to meet expectations. ISO/IEC TS 30149:2024 details how trust, trustworthiness, and risk correlate, and describes five aspects in which an IoT solution’s trustworthiness can be demonstrated. These are:
- Safety
- Security
- Privacy
- Resilience
- Reliability
For each of these aspects, trustworthiness is ensured through specific approaches to system design and construction. The document provides best-practice templates for building IoT systems and ensuring trust in them — from threat-assessment methodologies for trust-related violations, to architectural solutions for trusted systems (for example, MILS).
What to expect from the IoT of the future
The adoption of standards alone won’t magically improve IoT security overnight. Old products already no longer comply, while for new ones compliance with standards needs to become a requirement of both national and international regulators. Manufacturers would then need to invest considerable time in developing new products that comply with these standards. That said, in a few years, we can expect significant improvements in the security of both industrial and consumer IoT devices. These should include simple yet effective measures — such as secure default settings, and long, pre-defined periods for update delivery. More complex yet crucial improvements should include the widespread adoption of secure-by-design approaches, plus standardized, publicly-verified communication protocols to make products less vulnerable. With these in place, experts would be able to more easily analyze the security of specific products thanks to better-documented system and protocol architecture. And the ultimate goal: consumers knowing for sure that the IoT devices they purchase are secure, reliable, and resilient to threats (both physical and cyber) throughout the entire lifecycle of those IoT devices.