ICSA recently announced an Internet of Things testing and certification program. It has six components (highlights in brackets) –
- cryptography (FIPS 140-2 crypto algos by default, secure PRNGs)
- communications (PKI auth, all traffic must be authorized)
- authentication (secure auth, protect auth data, no privilege escalation)
- physical security (tamper detection, defense, disable)
- platform security (secure boot, secure remote upgrade, DoS defense)
- alert/logging (log upgrades, attacks, tampering, admin access)
Their IoT security requirements framework is found here.
This is a great list. I think another dimension to think about is usability of the security – many products come with security options buried so deep in documentation or UI, that a regular user may not configure the device securely and leave it more open than intended – this has historically been true of a variety of webcams, SCADA systems, wifi routers and other devices.