Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireTechnologies & SolutionsCybersecurity News

Cybersecurity guideline for testing of Internet of Things security products

By Security Staff
iot-internet-of-things-fp1170x659v4.jpg

Image by your_photo via Freepik

September 2, 2022

AMTSO, the cybersecurity industry’s testing standard community, has published its first Guidelines for Testing of IoT Security Products.


As Internet of Things (IoT) security product testing is still in its infancy, according to AMTSO, the guidelines aim to provide guidance for independent benchmarking and certification of IoT security solutions.


Comprised of input from testers and vendors, the guidelines cover principles for testing IoT security products and provide recommendations on test environment, sample selection, testing of specific security functionality, and performance benchmarking for testers.


The Guidelines for Testing of IoT Security Products include:

  1. General principles: All tests and benchmarks should focus on validating the end result and performance of protection delivered instead of how the product functions on the backend. Thus, the guidelines suggest that no difference in rating should be made between products that use, for example, machine learning or manufacturer usage descriptions as long as the outcome is the same.
  2. Sample selection: The guidelines provide guidance for challenges with choosing the right samples for IoT security solution benchmarking. For a relevant test, testers need to select samples that are still active and target the operating systems smart devices are running on. The guidelines also suggest that the samples could be categorized between industrial and non-industrial, with further separation into operating systems, CPU architectures, and severity scores.
  3. Determination of “detection”: IoT security solutions work very differently than traditional cybersecurity products when it comes to detections and actions taken; for example, some solutions will simply detect and prevent a threat without notifying the user. The guidelines suggest using threats with admin consoles that the tester can control or using devices where the attack will be visible if conducted. Another alternative could be observing the device ‘under attack’ via network sniffing.
  4. Test environment: In an ideal case, all tests and benchmarks would be executed in a controllable environment using real devices. However, the setup can be complex, and if the tester decides against using real devices in the testing environment, it is advised that they validate their approach by running their desired scenario with the security functionality of the security device disabled and checking the attack execution and success. The guidelines also advise using alternatives to real devices, like a Raspberry Pi, to mimic a real IoT device, and creating bespoke IoT malware samples, like Mirai, for testing of malware never seen before.
  5. Testing of specific security functionality: The guidelines embrace advice on different attack stages, including reconnaissance, initial access, and execution. They outline the possibility of testing each stage individually vs. going through the whole attack simultaneously. Choices on this should be documented in the testing methodology. Also, the guidelines suggest platform-agnostic testing to be considered as many threats today target multiple architectures and can be used for IoT and non-IoT devices alike.
  6. Performance benchmarking: The guidelines also provide considerations on performance benchmarking, e.g., suggesting to differentiate between various use cases such as consumers vs. businesses or the criticality of latency or reduced throughput per protocol, which depends on its purpose.


“Guidelines for security and privacy, in general, are what drive industry regulations like PCI, HIPAA, and SOX, recognizing the need to protect access to sensitive data and systems in traditional IT environments,” says Tony Goulding, Cybersecurity Evangelist at Delinea. “Similarly, it’s important to protect access to IoT devices that are used in sensitive environments. With no equivalent set of regulations, the AMTSO guidelines represent a step in the right direction to help IoT vendors test their products’ ability to detect and prevent attacks.”


Many IoT devices are managed by the line of business, which does not normally have staff, training, or budget to achieve true IoT security. This line of business may not have the budget to replace obsolete yet functional devices, says Bud Broomhead, CEO at Viakoo. “When a device goes end of life from the manufacturer, there are no new security patches, yet threat actors are constantly adding new exploits against them.”


To fix this issue, security leaders should ensure that budget is “available to replace IoT devices that have gone EOL is an important process point and should foster regular communication and coordination between the CISO, IT, and IoT line of business owners so that when a crisis hits lines of communication are already established and functioning,” Broomhead recommends.


Having metrics to guide program improvements will help security leaders focus on what needs improvements, Broomhead suggests. “For example, every organization should track how long it takes to apply an IoT firmware patch, how many IoT devices fail to have certificates updated on time, and if password policies are being enforced on all devices,” he says.


Guidelines for Testing of IoT Security Products, other guidelines, and standard documents are available for download at: https://www.amtso.org/documents/.

KEYWORDS: cyber security information security Internet of Things (IoT) product security risk management security technology

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Cybersecurity Metrics for the C-Suite

    Legislation for Cybersecurity of Internet-of-Things Introduced

    See More
  • cyber

    Enterprise Internet of Things (IoT) cybersecurity

    See More
  • Security newswire default

    Senators Introduce Internet of Things Cybersecurity Improvement Act of 2017

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • September 3, 2024

    From DDoS Protection to WAAP: How Layered Protection Enhances Your Cybersecurity Strategy

    ON DEMAND: By participating in the webinar, attendees will gain enhanced knowledge of cyber threats and understand the current spectrum of cyber threats facing businesses.
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing