While politicians in the United States have been discussing measures to tackle the oft-ignored but nevertheless growing issue of Internet of Things (IoT) security, similar measures are being discussed across the pond. On November, 2017, the European Union Agency for Network and Information Security, formerly named the European Network and Information Security Agency (ENISA), released an extensive report, titled Baseline Security Recommendations for IoT in the Context of Critical Information Infrastructures, in a bid to identify basic cybersecurity recommendations for IoT.
In addition to providing insight into the security requirements of IoT, the report also details good practice recommendations on preventing and mitigating cyber-attacks against IoT systems. There are even detailed examples of different IoT attack scenarios, such as IoT administration compromises, value manipulations in IoT devices, and botnet command injections.
What the Paper Says
For the executive summary, Baseline Security Recommendations lists seven high-level recommendations to improve IoT security:
- Promote harmonization of IoT security initiatives and regulations
- Raise awareness for the need for IoT cybersecurity
- Define secure software/hardware lifecycle guidelines for IoT
- Achieve consensus for interoperability across the IoT ecosystems
- Foster economic and administrative incentives for IoT security
- Establishment of secure IoT product/service lifecycle management
- Clarify liability among IoT stakeholders
The goal of the piece is to elaborate baseline cybersecurity recommendations for IoT with a focus on Critical Information Infrastructures, which encompass facilities, networks, services, and physical equipment. These infrastructures and deemed “critical” because in the event of destruction or disruption, there would be major consequences for the health, safety, and economic welfare of citizens, and for the functioning of state institutions and public administrations, and for IoT service providers.
Steps the EU have Taken
The publication of Baseline Security Recommendations comes after several initiatives from the European Commission. In March 2015, the Commission launched the Alliance for Internet of Things Innovation (AIOTI) with the intention of creating and innovated and industry-driven European IoT ecosystem. The AIOTI’s status as the largest European IoT association to date underscores the Commission’s ambition to work closely with all IoT stakeholders on the establishment of a competitive market and new business models for benefit of European citizens and businesses.
The Commission adopted the Digital Single Market (DSM) Strategy was adopted two months later in May 2015, which underlined the need to avoid fragmentation and to foster interoperability for IoT to reach its potential. The vision is based on three pillars: a thriving IoT ecosystem, a human-centric IoT approach, and a single market for IoT. The paper noted that achieving a single market would be challenging, considering the vast number and diversity of connected devices and the difficulty of identifying them unequivocally and universally.
The most recent action taken by the European Union (EU), was on September 2017, when the new “Proposal for a Regulation of the European Parliament and of the Council on ENISA, the ‘EU Cybersecurity Agency’,” along with documentation on cybersecurity certification, was published. On the same date, the Commission published a document which detailed the overall cybersecurity strategy of the EU.
The goal of that documentation is to build greater resilience in the EU to cyber-attacks, improving detection mechanism and strengthening international cooperation. It provided a series of measures, such as the encouragement of “security by design” through the whole lifecycle of IoT devices. Schemes under this framework would indicate that products are build use state-of-the-art secure development methods, that they have undergone adequate security testing, and that the vendors are committed to updating their software in the event of newly discovered vulnerabilities.
Potential roadblocks include significant gaps in security implementation and knowledge in relation to IoT security, given the emergent nature of the technology. Nevertheless, with the publication of papers like Baseline Security Recommendations, along with the American legislation mentioned in the beginning of this article, which was briefly mentioned in ENISA’s paper, awareness of the need to secure IoT devices and systems is bound to grow. It is up to the vendors to follow suit and make good on the growing demand for a more secure Internet of Things.