ISO/IEC 27402 offers manufacturers a baseline set of requirements specifically tailored to enhance the security and privacy of IoT devices. IoT devices are seen as particularly vulnerable to hackers because of their interoperability.
“The sheer prevalence of IoT devices across networks and systems makes them attractive targets for cyber-attacks,” IEC, which co-authored the new standard with the ISO, said in a statement. “The interconnected nature of these devices introduces vulnerabilities that, if exploited, could have far-reaching consequences.”
According to IEC, the most common types of cyber attacks on IoT devices include: distributed denial of service attacks (DDoS attacks), man-in-the-middle attacks, which involve intercepting or altering the communication between IoT devices and their servers or controllers, brute force attacks, which involve hacking a device by trying different username and password combinations, and eavesdropping attacks, which involve spying on the data transmitted by IoT devices in order to gain personal or sensitive data.
ISO/IEC 27402 provides guidance on the essential features and measures necessary for countering these attacks.
At the heart of the new standard, IEC said, is a comprehensive risk assessment framework since understanding the risks is key to developing an effective risk treatment plan.
“The idea is that by identifying the required features and countermeasures, users can actively mitigate potential threats, ensuring that IoT devices meet the highest standards of security and privacy,” IEC said.
The standard outlines requirements applicable to IoT devices entering the market, with the requirements serving as a baseline on which various vertical markets can build additional specifications tailored to their unique applications and associated risks.
Industries, including consumer electronics, “can leverage this standard as a foundation for developing sector-specific requirements,” IEC said.
ISO/IEC 27402 was developed by the joint IEC and ISO technical committee SC 27, the subcommittee responsible for developing international management and technical standards for information security and privacy protection and related topics.