ISO 27400:2022 "Cyber security - IoT security and privacy"

Since mid-June 2022, the ISO (International Organisation for Standardisation), a worldwide federation of national standardisation bodies (ISO member organisations), has published its latest draft of an internationally valid standard for the protection of IOT devices with reference to safeguarding and data protection.

ISO 27400:2022 - An expected in-depth standard for holistic IoT security

The scope of the new ISO standard includes technical and organisational measures in the form of guidelines on risks, principles and controls for the security and privacy of Internet of Things (IoT) solutions.

According to the technical expert panel, "[information security] is a major concern for any information and communication technology (ICT) system, and Internet of Things (IoT) systems are no exception. IoT systems pose a particular challenge to information security because they are highly distributed and comprise a large number of different entities. This results in a very large attack surface and a major challenge for the information security management system (ISMS) to apply and maintain appropriate security controls throughout the system.
Privacy or personal data protection is a major concern for some types of IoT systems. If an IoT system collects or uses personal data, there are usually laws and regulations that apply to the collection, storage and processing of personal data. Even if the regulations do not matter, the handling of PII by an IoT system remains a reputational and trust issue for the organisations involved, for example if the PII is stolen or misused and could cause some form of harm to the individuals identified by the information.
The security and privacy controls in this document have been developed for stakeholders in an IoT system environment to use by any IoT stakeholder throughout the lifecycle of the IoT system."

Design and structure of the new ISO 27400:2022

As expected, the new 42-page ISO standard is divided into the familiar chapters of the standard, which are determined by Annex SL, plus 4 more in-depth sections. These are divided into the following main topics:

5 IoT concepts
5.1 General
5.2 Characteristics of IoT systems
5.3 Stakeholders of IoT systems
5.4 IoT ecosystem
5.5 IoT service life cycles
5.6 Domain based reference model
6 Risk sources for IoT systems
6.1 General
6.3 Risk sources
7 Security and privacy controls
7.1 Security controls
7.2 Privacy controls

Definition: What is the Internet of Things and which devices are part of it?

There is no formal definition of the Internet of Things, as the term encompasses a wide range of uses that can be counted as part of the basic idea of the IoT by function or form of connection. In most cases, however, IoT describes a network for machine communication. The term is to be distinguished from the conventional internet(social internet), in which primarily people communicate with other people or machines (e.g. servers). The Internet of Things in its current stage of development has only been made possible by technological progress in the last two decades and is currently developing into the quasi-standard of new technology platforms.

Internet of Things in the private sector

IoT devices, which are accessible to everyone, are primarily intended to make everyday life easier. For this purpose, internet-capable devices or applications are linked with each other and thus made controllable. These can be all components of a smart home, for example. Through the Internet of Things, it is possible for users to receive a notification when certain events occur, e.g. when the room temperature falls below a certain value or the electric toothbrush is used with too much pressure. But the intelligent sensors in the IoT can also independently ensure that a roller shutter automatically darkens the window, for example - without humans still having to intervene themselves.

The terms smart city and smart environment also come up in the context of IoT. They encompass the creation and use of an IoT to optimise one's own environment, an entire city or region.

Industrial Internet of Things (IIoT)

Furthermore, the Industrial Internet of Things can be distinguished from the private IoT. Here, individual machines or entire plants are networked with each other. The aim is to increase efficiency:

  • Communication/information exchange between machines, vehicles, containers, automats (M2M)
  • High degree of automation
  • Process optimisation
  • Early problem detection (self-diagnostics)
  • Failure avoidance
  • Resource-saving manufacturing

The basic building block for this new level of technology was radio-frequency identification (RFID for short). It enabled a receiver device to identify and locate the transmitter during contactless transmission. (Source: Internet of Things: Definition, Application, Risks (link11.com))

The IIoT is often equated with the term Industry 4.0, but this is not correct. Behind it is a digitalisation project that will only be fully realisable in the future. The prerequisites for this fourth industrial revolution include the Internet of Things, cloud computing and artificial intelligence (AI).

Protect Privileged Accounts (PAM) to protect IoT technologies

Privileged user accounts, passwords and secrets are everywhere: According to estimates, their number is usually three to four times as high as that of the employees. Especially with modern technologies that rely on everything being connected and accessible from everywhere, the attack surface is growing rapidly as systems, applications, machine-to-machine accounts, cloud and hybrid environments, DevOps, robotic process automation and IoT devices provide more and more administrative access. Attackers know this and therefore target precisely these privileged accounts. Over 95 % percent of complex attacks are based on the exploitation of privileged credentials, as these provide access to particularly sensitive data, applications and infrastructure. In the wrong hands, such privileges can significantly disrupt a company's business operations.

VISULOX is a PAM solution developed in Germany for the protection of privileged accounts.

VISULOX Privileged Access Management is the central access component between the user and his tasks. It can be used to document who has access to which application and when, and who authorised it and when. Via VISULOX Privileged Access Management the presentation of an application also takes place and is also documented. This gives you control and an overview of all activities in the system. And all this without changes to the client or server, during operation.

Control You centralized all accesses of privileged users to internal IT and OT systems

Harmonise Harmonise heterogeneous access requirements according to organisational guidelines

Rely anytime, anywhere on audit-proof records of every activity within IT and OT

VISULOX has been developed by amitego in Germany since 2003 and is used worldwide by small to medium-sized companies, including DAX30 companies, across all sectors.

We have more topics we like to write about.

Cookie Consent with Real Cookie Banner