Best Practices for IoT Security: What Does That Even Mean?

TL;DR

This paper investigates the ambiguous concept of 'best practices' in IoT security, analyzing over a thousand guidelines to clarify their meaning, application, and lifecycle relevance, aiming to foster consensus and improved security adherence.

Contribution

It provides a comprehensive analysis of what constitutes IoT security best practices, categorizes them, and highlights their predominant focus on early device lifecycle stages.

Findings

70% of practices relate to early device lifecycle stages

Many guidelines conflate outcomes with specific practices

Significant confusion exists around the actionable nature of best practices

Abstract

Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure to follow best practices, but rather a surprising lack of understanding, and void in the literature, on what (generically) "best practice" means, independent of meaningfully identifying specific individual practices. Confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. How do best practices, good practices, and standard practices differ? Or guidelines, recommendations, and requirements? Can something be a best practice if it is not actionable? We consider categories of best practices, and how they apply over the lifecycle of IoT devices. For concreteness in our discussion, we analyze and categorize a set of 1014 IoT security best practices, recommendations, and guidelines from industrial, government, and academic sources. As one example result, we find that about 70\% of these practices or guidelines relate to early IoT device lifecycle stages, highlighting the critical position of manufacturers in addressing the security issues in question. We hope that our work provides a basis for the community to build on in order to better understand best practices, identify and reach consensus on specific practices, and then find ways to motivate relevant stakeholders to follow them.