IoT Safety & Trust Design Architecture and Risk Toolkit
Standards and controls to help address device hazardization,
weaponization and privacy abuses
April 11, 2018 – Seattle, Washington – The AgeLight Advisory and Research Group, working with leaders in the public and private sectors, has released the IoT Safety & Trust Architecture® and Risk Toolkit (ISTA). The goal of the ISTA is to help the market deliver on the promise of Internet of Things (IoT) by enhancing device security, safety and privacy practices.
As IoT goes through massive growth, it has the tremendous potential to revolutionize the way we live and work. Yet there is the risk of connected devices flipping lives upside down if proper security, safety and privacy measures are not implemented. The ISTA was designed to address these risks by harmonizing global efforts and providing a risk-assessment and scoring model to aid device manufactures prioritize their development efforts. The principles are built on the belief that independent of a device’s price point they can and should be engineered to help prevent security and safety risks and misuse of users’ personal data.
"The ISTA provides a blueprint to embrace security and privacy by design," said Craig Spiezle, Managing Director of the Agelight Advisory and Research Group. “Organizations that adopt the ISTA can maximize user safety and peace of mind, while making security and privacy a part of their brand promise.”
The ISTA takes a pragmatic view based on a weighted scoring model that incorporates six core issues impacting developers today. Based on an organization’s risk tolerance, engineering efforts can be ranked and prioritized. Scoring criteria includes:
The impact to the user and/or organization
The impact to the ecosystem and society at large
Financial and performance impact
Hazardization, or risks related to physical and life safety
Development costs and impact to market timing
Regulatory and liability risk
“The ISTA is a common-sense risk-assessment tool for innovators who want to create the next generation of IoT devices,” said Morgan Reed, President of ACT | The App Association. “Tools like Agelight’s are accessible for small manufacturers, yet sophisticated and carefully calibrated to global security norms and current best practices. The ISTA is a valuable arrow in the quiver for companies as they seek to exceed consumer expectations with top notch security and privacy practices.”
Objectives of the ISTA
Provide a risk assessment and prioritization toolkit customized by an organization’s risk tolerance
Promote security and privacy by design when products ship and through their life
Accelerate the adoption of high-value and high-impact security and privacy practices delivering trustworthy devices to the marketplace
Drive industry self-regulation promoting innovation and serving as a foundation for safe-harbor
Serve as an incentive for companies to invest in security and privacy by design
"Developers and device manufacturers are overwhelmed with the challenges of delivering IoT-ready products that are safe, secure and private, both when they ship and throughout their lifecycle," said Darron Antill, CEO of Device Authority. "The ISTA provides an actionable blueprint for the industry to realize the promise of IoT.
“As IoT devices become integrated within an organization, the ability to manage and access the risks can be overwhelming. The ISTA is not only a road map for developers but can be used for companies when evaluating the risks of products, they are using and planning to purchase,” said Alex Yampolskiy, CEO of SecurityScorecard.
Developed through a multi-stakeholder process, the ISTA reviewed more than 300 recommendations and incorporates many practices advocated by the U.S. Federal Trade Commission (FTC), European Union’s General Data Protection Regulation (GDPR), the EU Agency for Network and Information Security (ENISA), the U.K. government, the U.S. Consumer Products Safety Commission (CPSC), the U.S. Department of Commerce, the National Telecommunication and Information Administration (NTIA) the National Institute of Standards and Technology (NIST) and by other global efforts.
“As a global organization working to advance smart home and building automation, we continually hear about the complexity of the security, safety and privacy landscape,” said Ronald J. Zimmer, CABA president and CEO. “AgeLight’s work harmonizing best practices, standards and regulations is a significant step forward in assisting industry stakeholders. While there is no perfect security or privacy solution, the ISTA provides a common-sense approach toward creating more secure, sustainable and private smart devices for home, work and play.”
"Our world is becoming increasingly interconnected, and while that offers consumers numerous benefits, the shadow of risks looms large. Self-regulatory mechanisms that harmonize and focus the efforts of industry and government, are essential for enhanced cybersecurity and privacy,” said Ryan Hagemann, director of technology policy at Niskanen Center. “Voluntary guidelines such as the ISTA help address the risks without relying on overly prescriptive and ineffective regulatory mandates. Efforts like these can incentivize companies to deal with threats today rather than running the risk of litigation or heavy-handed regulation tomorrow."
The ISTA incorporated many practices advocated by leading organizations including the ACT - The App Association, Consumer Reports, Center for Democracy & Technology, Continental Automated Buildings Association, the Internet Society, Niskanen Center, Online Trust and Integrity Council and Underwriters Laboratory, as well as related efforts supported by Device Authority, Microsoft, SecurityScorecard and Symantec.