IoT Security Compliance at the Rack Level

Jessica Ciesla
October 1, 2021

The world is driven by software is not a shocking claim, but the ubiquity of its presence is worth a reminder. A recent hunt for a new refrigerator served as a notification, in case I had forgotten, about the pervasive nature of the IoT and the ability to connect to just about anything, even an appliance, from anywhere you have an internet connection. The same holds true for our large modern data center networks, obviously, from building automation and controls packages right down to the software operating intelligent rack PDUs. 

The relative openness of our software-driven world means that, in some ways, we are even more vulnerable than ever. And while your leftovers are relatively safe, IoT botnet attacks such as the ‘Star Wars’ Twitter botnet of 2017, ransomware attacks on our fuel and food supplies, and recent similar attacks on US businesses serve as a reminder that if you have software and internet-connected devices, you have vulnerabilities. 

For this reason, Legrand takes the security of its Raritan line of rack PDUs very seriously. Our PX3 PDUs have recently undergone a thorough software security audit by the firm Pivot Point Security. This penetration testing involves OSSTM, PTES, and OWASP testing methodology, as well as guidance from relatively recent legislation out of California known as CA SB 327. 

Here is the process that the Raritan PX3 software underwent: 

• Full testing of the device’s exposed services from a network perspective 

• An OWASP Top 10 assessment of any exposed applications 

• A full assessment of the communication channel’s security 

• An assessment of the physical security of the device 

• A hardware security assessment of the device’s internals 

• Binary and reverse engineering analysis of the device’s firmware 

California is the only state in the union to have passed legislation for consumer-related IoT devices. CA SB 327 defines IoT devices to include any device or “other physical object” that is capable of connecting to the internet (even “indirectly,” such as by pairing with another device) and assigned an IP or Bluetooth address. 

Under the law, devices must be equipped with “reasonable security features” designed to protect the device, and information contained in the device, from “unauthorized access, destruction, use, modification, or disclosure.” Reasonable security features are defined as those “appropriate” to the “nature and function of the device” and the “information it may collect, contain, or transmit.” Importantly, manufacturers should view the law as an effort to protect user safety and consumer privacy—and even safeguard against threats to public safety. 

While the specifics of the legislation are somewhat vague, Raritan understands the requirements of mission-critical data security. By supporting the fight against any vulnerabilities through independent testing, Raritan’s rack PDUs are secured in a manner consistent with industry best practices. Contact us to learn more about the security testing of Raritan PX3 software.