Adapting test strategies to IoT: Page 3 of 5

December 03, 2014 //By Mike Bartley and Declan O\'Riordan
Adapting test strategies to IoT
The internet of things (IoT) brings with it the ability to build more flexible and responsive control systems in which devices from many different vendors are brought together to deliver more functionality than is possible with traditional, standalone embedded systems.
many of the devices will often be practically inaccessible, the “patch and pray” strategy used for many desktop software packages is unlikely to be an effective strategy for many forms of IoT device. They will need to be shown to be secure against a wide range of attacks. Patching can only be used for extreme situations where certain types of hack were unforeseeable at the time of design.

Because of the factors outlined above, there is a strong requirement for the firmware inside IoT devices to demonstrate trustworthiness. This has led, in the UK, to the release of a standard designed to improve the ability of software to avoid failures and resist attacks. The Trustworthy Software Initiative has backed the British Standards Institute’s PAS 754:2014 standard, which identifies five aspects of software trustworthiness: safety, reliability, availability, resilience and security.

The BSI document describes a widely applicable approach to achieving software trustworthiness rather than mandating any specific practices or procedures. The standard calls for an appropriate set of governance and management measures to be set up before producing or using any software which has a trustworthiness requirement.

Under the regime, design teams need to perform risk assessments that consider the set of assets to be protected, the nature of the adversities that may be faced and the way in which the software may be susceptible to such adversities. To manage that risk, appropriate personnel, physical, procedural and technical controls need to be deployed. Finally, PAS 754 demands a regime be set up to ensure that creators and users of software ensure that governance, risk and control decisions have been implemented.

Where devices are likely to be incorporated into systems that have a safety aspect, certification to one of the relevant standards will be needed. This may be a generic standard such as IEC61508 or a domain-specific standard derived from it such as ISO 26262 that has been embraced by many of

Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.