Cyber

Security

and IoT

Explaining why IoT (Internet of Things)

devices must be secure by design

censis.org.uk

---

Cyber security threats associated

with Internet of Things (IoT)

devices are evolving rapidly,

keeping pace with the increased

levels of IoT adoption across

a range of end markets and

application areas.

1

---

Integrating

cyber security

While IoT devices offer transformational benefits to organisations and individuals,

they require designers and manufacturers to be hyper-aware of the need to create

solutions with cyber security and privacy in mind.

It is essential to integrate security features during the design stages of IoT products

and services, making them ‘secure by design’ and without impacting their

functionality.

This document is part of a Scottish Government-funded programme to demonstrate

the transformative potential of IoT across some of Scotland’s key growth industries.

It is intended as an introduction to IoT cyber security best practice to mitigate risks

and provides links to additional sources of information.

Whether you are in the development, manufacture, supply or procurement of IoT

devices and services, this document provides what you need to know.

www.censis.org.uk

Contents

Internet of Things (IoT) in context 3

Cyber security overview 3

Cyber security vulnerabilities and risks 5

Common attack methods 7

IoT cyber security best practice and legislation 9

The future for IoT device security 11

Glossary 14

Text with an explanation in the Glossary on P14 is underlined the first time it is used.

If you are reading the printed version of this brochure, you can download a hyperlinked pdf at censis.org.uk/brochures

The information in this brochure is correct at time of writing. September 2019.

2

---

Cyber security overview

Q What is cyber security

Cyber security is essential in preventing harm to the

integrity of the electronic devices and services that

people and organisations use daily, as well as ensuring

the confidentiality of the data stored and transmitted.

Some of these devices and services form the

basis of our critical national infrastructure, such as

emergency services, communications, transport, defence

and utilities.

Cyber security involves the use of processes, technologies

and controls for the protection of devices, systems,

networks and data from cyber attacks and the ability to

recover from these attacks.

Cyber security good practice

Processes,

technologies

and

controls

Are

applied to

Devices,

systems,

networks

and data

Resulting

in

Protection from

cyber attacks

Ability to

recover from

attacks

Internet of Things (IoT) in context

Q What exactly does ‘Internet of Things’ mean?

A To simplify the vast amount of chat and hype around

IoT, think of it in its broadest sense as: ‘a system of

things using the internet or private network to

connect and communicate with each other’.

Q What ‘things’?

A We say ‘things’ but really mean ‘devices’ that are

connected via the internet to each other. Your phone

is probably such a device. Some watches are

internet-enabled. Often, you’ll hear ‘smart’ added to

the front of something to describe that it can

connect to the internet and chat to other devices,

e.g., smartphone, smartwatch, smart lighting. In an

IoT network, each device has a unique identifier

and can transfer and/or receive data over a network

connection.

Q But this is nothing new, haven’t devices been

connecting to the internet for years?

A Yes, they have. But technology has advanced so

much in recent times that we now have

the capability to connect many more

low cost, small, battery operated devices

to the internet. If we install a sensor on

such a device, the sensor can gather data,

then send the information over the

internet. This combined with the rise

of low-cost cloud computing is enabling

a vast amount of new opportunities.

For further information, read:

CENSIS ‘Getting started with IoT’

https://www.censis.org.uk/brochures

3

---

Q How is IoT cyber security different

to IT cyber security?

The main difference is that IoT devices are more connected

to the physical world. There is also a greater number

and wider range of types of IoT devices than IT devices.

The environments that IoT devices operate in are more

diverse than traditional IT systems and could include

being in remote areas, exposed to extreme weather or in a

situation in which they are vulnerable to tampering.

IoT devices are also procured, used or managed by a

wider range of people and are less likely to be maintained

and updated with the latest software when compared to

IT devices. While machine-to-machine communications

and attacks have been around for decades, IoT is a

relatively new term, and the most high-profile cyber

attacks have occurred in the last 10 years.

Q Why do intentional IoT cyber

attacks take place?

Intentional attacks on IoT devices occur for several

reasons, such as:

• Financial gain – a primary motivation for attacks is

either stealing information to sell or holding it for

extortion or ransom.

• Preventing or limiting ability to operate - possibly

motivated by revenge, differing beliefs, terrorism,

activism or an attempt to damage competitors

financially or reputationally. These could be attacks to

temporarily disrupt services or actions which could

lead to permanent physical damage to devices or

result in injury to users.

• Curiosity and challenge - while some attacks may be

financially motivated, others are driven by an interest

in technology, the challenge presented and the ability

to brag and boast about hacking activities.

Q Who commits cyber attacks?

There is no one profile of individual or organisation that

performs IoT attacks. They range from hackers working

alone or in small groups through to organised criminal

gangs and even nation states engaged in wider espionage

activity and/or cyber warfare.

Q How big a problem is an IoT

cyber attack?

We live in an increasingly hyper-connected world.

The introduction of IoT devices significantly increases

the surface of connected devices visible to be attacked

and thus the exposure to risk. IoT is therefore a potential

route into or to disrupt wider systems, applications and

networks, if not adequately protected.

The forecasts for the number of IoT devices varies but the

research organisation Gartner predicts that there will be

25 billion IoT devices by 2021. Bain & Company survey

reported that in 2018, 45% of IoT buyers in companies

cited security concerns as a factor limiting adoption.

These figures offer an indication of the size of the

challenge for both IoT developers and end users.

According to research by Dutch software firm Irdeto,

the financial risk to the UK from cyber attacks targeting

IoT devices could be approximately £1 billion annually,

a figure based on the current average cost per UK

business each year of £244,000.

Attacks tend

not to be

personal or specifically

targeted, it’s more often

the case that individuals

or organisations have

known IoT vulnerabilities,

making them easy targets

to attack

4

---

Cyber security vulnerabilities and risks

Technology evolution has led to the emergence of lowpower

IoT devices with high processing performance,

large internal data storage capacity and wireless

communications interconnectivity. The ability to integrate

small low-cost sensors into these devices has led to a

greater range of embedded and wearable products and

associated services. The inclusion of microphones and

cameras in IoT products has also raised concerns over

privacy, both in the workplace and in the home.

To increase the level of trust in the use of IoT devices and

services, reduce exposure to risk and drive greater adoption,

developers and manufacturers must be aware of the

potential vulnerabilities and ensure that these are reduced

or removed.

Vulnerabilities

IoT-based systems become vulnerable in several ways:

• Unsecure devices that are not password protected, or

that use simple, easy to break passwords that are not fit

for purpose

• Poor design, manufacturing and test processes

• Lack of IoT technical knowledge in companies

procuring solutions

• Unmaintained devices with firmware which has not

been kept up to date

• Poor device integration and configuration with other

electronic systems

• Undefined responsibility for IoT systems management

and maintenance

• Unused devices left connected to networks

• Unknown, forgotten, hidden - but exploitable - devices

network - these were devices like security cameras or

uninterruptable power supplies. Many were not registered

with the IT department and did not meet security

standards, making them vulnerable to attack.

The potential consequences in this case were very

worrying - the theft of personal medical data or an

attack on the systems that provide power to life-critical

machines in the event of a main power failure.

Good practice after identifying

vulnerability

It is good practice for organisations to develop and

publish a coordinated vulnerability disclosure (CVD)

process. A CVD process is the gathering of information

from whoever has found and legally reported a device

or service vulnerability, managing the distribution of the

information to stakeholders and disclosing the existence

and solutions to the stakeholders, often including the

public. It is generally expected that the reporting party will

not publicly share any knowledge of the vulnerability until

the process has been followed and ideally a solution or

mitigation is found.

These issues create particular challenges for smaller

or highly distributed organisations who may not have a

full-time member of staff responsible for cyber security.

It might fall to an IT or operations member of staff as only

part of their job.

Even in larger organisations with dedicated cyber security

staff, the sheer number of devices an organisation

handles can still create a challenge. This was highlighted

in a BBC interview with the Chief Information Security

Officer (CISO) for the largest health provider in New

Jersey, USA. The CISO was responsible for 13 hospitals

containing 30,000 computers, 300 apps, a data centre

and company mobile phones. During an IoT audit he

discovered 70,000 IoT devices accessing the company’s

5

---

Current IoT risk areas

• The Global Risks Report 2019 by the World Economic

Forum lists ‘Large-scale cyber-attacks’ and ‘Massive

incident of data fraud or theft’ as two of the top five

global risks in terms of likelihood during the next

10 years.

• The Economist Intelligence Unit’s (EIU) Top 10

Global Risks includes cyber-attacks and data integrity

concerns crippling large parts of the internet.

• Cambridge Global Risk Index 2019, a quantification

of the potential GDP impact, notes that cyber-attack

is the sixth highest financial risk ($39.7 Billion) after a

human pandemic and flooding.

• Security solutions company, Fortinet, reported in their

2018 4th Quarter Threat Landscape report that half

of the top 12 security exploits reported to their

company related to IoT devices.

• The digital information security company Gemalto

disclosed that only 48% of businesses can detect if

any of their IoT devices have suffered a security breach.

• ENISA Threat Landscape Report 2018 reports an

increasing number of attacks on Industrial Internet of

Things (IIoT) devices in utilities, oil and natural gas and

manufacturing sectors.

• F-Secure, a cyber security company with a

global presence, reported that the number of IoT

threats doubled in 2018, from 19 to 38 within a

12-month period.

Smart

televisions

Thermostats

Digital video

recorders/

network video

recorders

Voice over

IP (VOIP)

telephones

Networked

cameras

Popular

IoT

targets

Network

routers and

access points

Mobile

smartphones

Network

attached

storage

Printers

6

---

Common attack methods

Attacks on IoT devices are typically achieved in one of seven different ways, or by using a combination of the seven.

Exploits

Poor system

configuration

Distributed Denialof-Service

(DDoS)

IoT attack

methods

Cloud system and

data centre attacks

Man in middle attacks

Malware

Physical

Physical attacks

An IoT device can be compromised

if physical access can be gained to

external interfaces, such as USB ports

or test ports used in the manufacture,

maintenance or test of an IoT device.

Considered to be one of the earliest

cyber hacking tools designed to

cause physical damage to networked

equipment, Stuxnet was a malicious

computer worm aimed at industrial

control systems. It is believed to

have damaged Iranian uranium

enriching centrifuges in 2010 after

it was introduced to the

organisation’s network via a USB

stick. The organisation’s network was

not connected to the internet.

Exploits

Known vulnerabilities in an IoT

device’s hardware, embedded

software and operating system can

be exploited to gain access. These

vulnerabilities can range from poor

processing or formatting of data to

an insecure method for updating

the IoT device’s firmware and poor

memory management.

In 2017 the US Food and Drug

Administration (FDA) recalled 465,000

radio-controlled implantable cardiac

pacemakers due to identified cyber

security vulnerabilities; there were

concerns that hackers could control

the implanted devices. A firmware

update was issued to address the

vulnerabilities, allowing patients

whose devices were already fitted to

be updated and secured on the next

visit to their physician.

Poor system configuration

One of the simplest methods of

compromising an IoT device is by using

common, hardcoded, easily guessable

or weak passwords. Poor configurations

of an IoT device may also provide a

simple avenue to attack, for example

leaving a communications port open or

a backdoor login for test purposes.

In 2018 there were reports of an

audacious cyber attack saw a US casino

suffer a significant theft of data when its

IT networked systems were breached

via an IoT smart fish tank controller.

The poor configuration of the casino’s

network between the IoT and IT

systems led to 10 gigabytes of company

data being transferred to Finland before

the hack was identified and stopped.

7

---

Malware

Malware is software designed to

infiltrate and damage, control or

disable electronics systems, including

IoT devices. This can come in many

forms including viruses, worms,

trojans, ransomware, rootkit, spyware,

adware and keyloggers. Malware can

be used to form collectives of ‘bots’

(Botnets) for performing automated

malicious attacks (see sub-section

below). According to cyber security

solutions company McAfee, in the

last year there has been a rise of

203% in IoT malware in the form of

‘cryptominers’ that hijack devices

for mining cryptocurrency which

is currently seen as a more lucrative

business than ransomware.

In December 2015, a regional

electricity distribution company in

Ukraine was attacked. The SCADA

system controlling, and monitoring

power distribution was targeted,

enabling the attacker to switch off

several substations. To obtain initial

access to the company systems,

malware was delivered by email. Two

additional power companies were

also attacked resulting in 225,000

customers losing power for several

hours.

DDoS

Distributed Denial-of-

Service (DDoS)

DDoS involves an attacker gaining

access into a large number of

distributed IoT devices. When access

has been obtained, the attacker gains

control of the devices (usually by

installing malware), turning each of

the devices into what is called a ‘Bot’

or Zombie. The attacker can then

instruct a group of ‘Bots’ to act as a

‘Botnet’ to send requests to target

internet addresses, such as cloud

service providers. The significant

amount of internet traffic generated

reduces the capacity or prevents

the target from servicing other valid

users. This can also stop each of

the IoT ‘Bot’ devices functioning as

originally intended.

An example of this is the 2016 Mirai

Botnet. Several high-profile attacks

happened that year, including an attack

on Dyn, an internet infrastructure

company. The attack prevented users

from accessing social media accounts

and other popular websites in the US

and Europe. Mirai was one of the first

pieces of software to enable largescale

DDoS attacks. Mirai scans internet

addresses to find devices, e.g., digital

video recorders and CCTV cameras,

with unsafe, easy to guess, default

usernames and passwords; then it logsin

and configures the devices to send

data to an online target. With enough of

these devices or ‘bots’ sending data, the

online target is overloaded with requests

from ‘bots’ and is unable to accept

requests from legitimate users. More

than 100,000 devices were thought

to have been targeted, taken over, and

used in this attack.

Man-in-middle attacks

This describes where someone

intercepts communications between

IoT devices and/or other Internetconnected

systems. The attacker

poses as the original sender of the

data. This allows eavesdropping and

the ability to send data to and receive

data from the IoT devices undetected,

enabling manipulation of the IoT

devices and connected systems.

Cloud system and data

centre attacks

Cloud system and data centre attacks

can be performed in several ways

by targeting parts of the system

architecture. This may include

attacking the web server function

used to provide IoT dashboards

(displaying data from the IoT devices

or providing centralised control of IoT

devices), or attacking the database

systems used to store gathered IoT

data. As many IoT devices rely on a

cloud system to function correctly,

as part of the overall IoT solution, this

may render the IoT incapacitated or

severely limit the ability for the IoT

devices to function.

IoT attack

surface

IoT

device

Man-in-the-middle

Comms.

network

infrastructure

Man-in-the-middle

Cloud providers

Malware, exploits, poor system configuration and physical attack (Arrows show direction of attack/target)

8

---

IoT cyber security best practice

and legislation

In order to drive greater adoption of IoT, the public

needs to feel comfortable that the products and services

they buy or use are not only fit for purpose in terms

of functionality, but that they also protect them from

potential cyber-related threats.

To this end, the UK government has created a best

practice guide for IoT cyber security for manufacturers of

products and service providers. The objective of the Code

of Practice for Consumer IoT Security is to reduce the

challenge for individuals and organisations in making their

own assessment of what is cyber secure.

In the 2018 IDG Security Priorities Study 74% of

business respondents stated that best practices determine

their priority for security spending.

The UK Government takes

the issue of consumer IoT

security very seriously. We recognise the

urgent need to move the expectation

away from consumers securing their

own devices and instead ensure that

strong cyber security is built into these

products by design.”

“A recent survey of 6,482 consumers

has shown that when purchasing a

new consumer IoT product, ‘security’

is the third most important information

category (higher than privacy or design)

and among those who didn’t rank

‘security’ as a top-four consideration,

72% said that they expected security to

already be built into devices that were

already on the market”

Source: Consultation on the Government’s regulatory proposals

regarding consumer Internet of Things (IoT) security, May 2019

Best Practice Guides

In October 2018, the UK Government Department

for Digital, Culture, Media & Sport (DCMS) published

the Code of Practice for Consumer IoT Security.

These guidelines are aimed at everyone involved in the

development, manufacture, service provision and retail of

consumer IoT devices and services to ensure that they are

‘secure by design’.

The code considers consumers to be all end-users of IoT

products and services. Products include children’s toys,

smart cameras and TVs, wearable health trackers, home

automation and safety products such as smoke detectors

and burglar alarms.

While focused on products and services typically used in

the home, the general principles are applicable to those

used in commercial and industrial environments.

The Code includes a prioritised list of 13 good practice

IoT security guidelines:

1 No default passwords

All IoT device passwords shall be unique and not

resettable to any universal factory default value

2 Implement a vulnerability disclosure policy

All companies that provide internet-connected

devices and services shall provide a public point of

contact as part of a vulnerability disclosure policy in

order that security researchers and others are able

to report issues. Disclosed vulnerabilities should be

acted on in a timely manner.

3 Keep software updated

Software components in internet-connected devices

should be securely updateable. Updates shall be

timely and should not impact on the functioning of

the device. An end-of-life policy shall be published

for end-point devices which explicitly states the

minimum length of time for which a device will

receive software updates and the reasons for the

length of the support period. The need for each

update should be made clear to consumers and an

update should be easy to implement. For constrained

devices that cannot physically be updated, the

product should be isolatable and replaceable.

4 Securely store credentials and security-sensitive data

Any credentials shall be stored securely within services

and on devices. Hard-coded credentials in device

software are not acceptable.

5 Communicate securely

Security-sensitive data, including any remote

management and control, should be encrypted in

transit, appropriate to the properties of the technology

and usage. All keys should be managed securely.

6 Minimise exposed attack surfaces

All devices and services should operate on the

‘principle of least privilege’; unused ports should be

9

---

closed, hardware should not unnecessarily expose

access, services should not be available if they are not

used and code should be minimised to the

functionality necessary for the service to operate.

Software should run with appropriate privileges, taking

account of both security and functionality.

7 Ensure software integrity

Software on IoT devices should be verified using

secure boot mechanisms. If an unauthorised change

is detected, the device should alert the consumer/

administrator to an issue and should not connect

to wider networks than those necessary to perform

the alerting function.

8 Ensure that personal data is protected

Where devices and/or services process personal

data, they shall do so in accordance with applicable

data protection law, such as the General Data

Protection Regulation (GDPR) and the Data Protection

Act 2018. Device manufacturers and IoT service

providers shall provide consumers with clear and

transparent information about how their data is being

used, by whom, and for what purposes, for each

device and service. This also applies to any third

parties that may be involved (including advertisers).

Where personal data is processed on the basis of

consumers’ consent, this shall be validly and lawfully

obtained, with those consumers being given the

opportunity to withdraw it at any time.

9 Make systems resilient to outages

Resilience should be built in to IoT devices and

services where required by their usage or by other

relying systems, taking into account the possibility of

outages of data networks and power. As far as

reasonably possible, IoT services should remain

operating and locally functional in the case of a loss

of network and should recover cleanly in the case of

restoration of a loss of power. Devices should be able

to return to a network in a sensible state and in an

orderly fashion, rather than in a massive scale

reconnect.

10 Monitor system telemetry data

If telemetry data is collected from IoT devices and

services, such as usage and measurement data, it

should be monitored for security anomalies.

11 Make it easy for consumers to delete personal data

Devices and services should be configured such that

personal data can easily be removed from them when

there is a transfer of ownership, when the consumer

wishes to delete it and/or when the consumer wishes

to dispose of the device. Consumers should be given

clear instructions on how to delete their personal data.

12 Make installation and maintenance of devices easy

Installation and maintenance of IoT devices should

employ minimal steps and should follow security best

practice on usability. Consumers should also be

provided with guidance on how to securely set up

their device.

13. Validate input data

Data input via user interfaces and transferred via

application programming interfaces (APIs) or

between networks in services and devices shall

be validated.

Reproduced from Code of Practice for Consumer IoT Security.

Please read the Code for more information on each of the above

guidelines. The Department for Digital, Culture, Media and Sport will

periodically review the Code and publish updates, at least every two years.

Please visit https://www.gov.uk/government/collections/secure-by-design

to be kept informed.

10

---

The future for IoT device security

As IoT solutions evolve, so do the threats against them.

In the short-term companies, can ensure that they get

the basics of IoT cyber security correct. In the long-term,

to ensure companies maintain cyber security, foresighting

is required to identify new and emerging threats and

develop methods to mitigate against these. This is being

supported by governments, academic institutions, trade

bodies and commercial organisations.

In addition to the published Code of Practice for

Consumer IoT Security, several other industry and

government organisations have published their own

IoT security recommendations and guides. These

guides serve to support the design, manufacturing and

procurement processes of IoT components and systems.

While the majority of guides focus on the security of

software and communications, physical security for IoT

hardware is also of importance and covered in more

detail in articles such as IoTSF’s physical security article.

Further sources for guides:

• National Cyber Security Centre (NCSC)

www.ncsc.gov.uk

• Internet of Things Security Foundation (IoTSF)

www.iotsecurityfoundation.org

• EU Agency for Cybersecurity (formerly the

European Union Agency for Network and Information

Security - ENISA) www.enisa.europa.eu

• GSM Association (GSMA) www.gsma.com

• The National Institute of Standards and

Technology (NIST) www.nist.gov

• OWASP Foundation www.owasp.org

IoT-focused labelling, standards and

legislation

It is not enough to merely encourage the adoption of best

practice in the design of new products or services; industry

should also adopt common labelling that clearly shows

consumers that best practice has been followed. Not only

would this provide comfort and peace of mind to buyers;

it helps a manufacturer or service provider to stand out

from the competition and enhances their reputation as a

cyber security-focused company.

In a recent research paper by Harris Interactive, 73% of

people interviewed felt it is important or very important

to introduce labels that highlight the security features on

consumer IoT devices. Respondents also said that they

would pay up to 10% more for the product.

In May 2019, the UK Government launched a consultation

on its regulatory proposals for consumer IoT security,

stating its ambition for the first three points of its Code of

Practice for Consumer IoT Security launched in October

2018 to become mandatory. These are:

1 All IoT device passwords shall be unique and shall not

be resettable to any universal factory default value

2 The manufacturer shall provide a public point of

contact as part of a vulnerability disclosure policy

in order that security researchers and others are able

to report issues

3 Manufacturers will explicitly state the minimum

length of time for which the product will receive

security updates.

The consultation explored various options for the mandatory

labelling of IoT devices. It is expected that security labelling

will initially be introduced on a voluntary basis.

Proposed labels:

Positive

Essential security

features included

DEC

2021

Security updates

until at least Dec 2021

Essential security

features NOT included

Negative

Security updates

NOT provided

Source: https://www.gov.uk/government/consultations/consultationon-regulatory-proposals-on-consumer-iot-security/consultation-onthe-governments-regulatory-proposals-regarding-consumer-internetof-things-iot-security

Building on the 2018 UK Code of Practice, the European

Telecommunications Standards Institute (ETSI) released the

world’s first standard (ETSI TS 103 645) for consumer IoT

security in February 2019. Designed with worldwide needs

in mind, its purpose is to create a baseline for IoT security,

and will be used as the baseline for future IoT certification

schemes.

Other activities specifically focused on certification and

labelling include the British Standards Institute (BSI)

Kitemark TM for IoT devices, launched in 2018. Used for

over 100 years, the Kitemark is a well-recognised logo,

that indicates quality and safety in British products. Three

different Kitemarks for IoT devices exist; residential,

commercial and enhanced for residential or commercial

products used in high risk or high value applications.

Unlike the proposed UK regulation, the BSI IoT

assessment is not self-certification based, it requires:

• The IoT developer to hold compliance to the

ISO 9001 quality standards.

• Pass IoT product tests for functionality, interoperability

and security.

• Perform regular monitoring assessments of their

labelled products.

11

---

EU and US cyber security legislation

The new EU Cyber Security Act will come into force

providing ENISA, the European Union Agency for

Cybersecurity, an ongoing mandate to help the EU achieve

a common, high-level of cyber security across all member

states through better communication and collaboration.

ENISA’s remit includes the creation of a common European

cyber security certification framework for information and

communications technology (ICT) products, processes

and services, including IoT. This will work alongside

other regulation and EU directives, including General

Data Protection Regulation (GDPR) and Network and

Information Security Directive (NIS Directive), which,

respectively, focus on personal information security and

overall security and resilience of networks and information

systems in critical sectors.

Other regulation activities in IoT-related cyber security

elsewhere in the world include the approval of the

Californian Security of Connected Devices bill in USA.

The 2018 bill aims are:

“This bill, beginning on January 1, 2020, would require a

manufacturer of a connected device, as those terms are

defined, to equip the device with a reasonable security

feature or features that are appropriate to the nature and

function of the device, appropriate to the information it

may collect, contain, or transmit, and designed to protect

the device and any information contained therein from

unauthorized access, destruction, use, modification, or

disclosure, as specified.”

In March 2019 the US Senate reintroduced the IoT

Cybersecurity Improvement Act. The purpose of the act is

similar to the activities in the UK in developing a baseline

of cyber security requirements for IoT devices. To support

this, the American National Institute of Standards and

Technology (NIST) will issue recommendations addressing,

at a minimum, secure development, identity management,

patching, and configuration management for IoT devices.

This legislation is likely to affect Scottish companies

looking to export IoT devices and provide IoT services into

the EU and the US.

Summary

This document has introduced IoT cyber security and

the importance of the ‘secure by design’ principle, to

protect end users of IoT products and services. While the

effect of a hack on a single vulnerable IoT device may not

seem of concern, its interconnection to other systems

could result in a greater impact, whether it be data

theft or incapacitating the operation of a company.

A collective effort in following best practice will help to

ensure that IoT users will reap the benefits without being

exposed to unnecessary cyber security-related risks.

To support this effort, CENSIS has been commissioned by the

Scottish Government and Scottish Enterprise to run an IoT

cyber security programme over 2019/2020. The programme

of activity will include a series of workshops, an accelerator

programme and a themed hackathon to support innovation

and economic development in IoT cyber security.

12

---

Finding IoT expertise

If you have an idea for a product or service that could bring

value to your business and your customers, there are a

number of organisations who could support your plans.

If you contact CENSIS in the first instance, we can signpost

you to a suitable organisation for your needs, or we may be

able to provide advice, technical support and the resources

you need to create a full solution.

At CENSIS we see most IoT projects starting off as small-scale

pilots to test the functionality with off-the-shelf components

or modular electronics. This allows users to explore what

information is useful to gather and if the system will be

suitable for their requirements. A smaller pilot also allows all

the stakeholders to test, play, and understand the potential

impact of a larger scale rollout.

censis.org.uk

Your first prototype

Joining the IoT community

in Scotland

There are many organisations setting out on their IoT journey

and finding value in sharing thoughts and challenges.

With our experience across a huge range of market sectors

and our knowledge of enabling technologies, CENSIS has

strong relationships with Scottish companies, public sector

organisations, university research groups and hardware and

software suppliers.

As part of our CENSIS community, you can join in with

our regular IoT meetups to discuss ideas with like-minded

people, take part in one of our hands-on technical

workshops or come along to one of our Future Tech events

to solve market sector problems in an open forum.

The highlight of our year is the annual CENSIS Technology

Summit and Conference, where we hear from challenge

providers, meet exhibitors who are showcasing new

technologies, and network and connect with the sensors,

imaging and IoT community.

There are many ‘out of the box’, turnkey solutions that you

can buy off the shelf to let you create a first prototype and

test your IoT solution.

CENSIS has created a flexible IoT development kit that can

help you get up and running with IoT quickly and without

the need for deep technical knowledge. This has a range of

popular sensors, communication and power options and is

flexible to allow the user to measure and send data easily.

It allows users to explore IoT concepts without having to

code or configure networks themselves.

Join our

community at

censis.org.uk

13

---

Glossary

Please note that details of sources mentioned in this document may be found in the online version available at: censis.org.uk/brochures

TERM MEANING

Adware

Application Programming Interfaces (APIs)

Attack surface

Backdoor

Boot mechanism

Bots

Cloud system

Cryptominers

DDoS

Dashboard

Firmware

Hacking/Hacker

Industrial Internet of Things (IIoT)

Keyloggers

Machine to machine communication (M2)

Malware

Port

Ransomware

Rootkit

Routers

SCADA

Secure by design

Spyware

Trojan

Viruses

Voice over Internet Protocol (VOIP)

Worms

Unwanted software designed to display advertisements

The specification and software implementation enabling programs to communicate

The total of the vulnerabilities of a device or system

A method for bypassing security providing access to an IoT device or system

The process by which a device starts-up before use

Software that performs an automated task

Shared computer data centre providing services, such as data storage

Software designed to generate money through complex mathematical calculation

Distributed denial-of-service, an attack with the aim of incapacitating a system preventing it servicing genuine users

Also known as a User Interface or UI, this allows a person to interact with the computer system,

e.g., a computer screen, tablet, mobile phone.

Software controlling the low-level functionality of hardware

Breaking into electronic systems (often the term ‘cracker’ is used instead to indicate a hacker with malicious intent)

IoT used in manufacturing and industrial processes

Software or hardware designed to monitor and collect key-presses by a user

Machine to machine connected devices exchanging information with other connected devices, without

human intervention.

Software designed with an intended malicious purpose

A physical or virtual interface on a device for connecting to an external device(s)

Malware designed to perform an action with intent of extorting a ransom

Malware designed to provide covert external access to an electronic system

A device that directs computer/IoT network traffic

Supervisory control and data acquisition system

Designing a product, service or process with security in mind from development stage

A malware program designed to covertly gather information without consent

A malware program that looks legitimate but hides its malicious purpose

A malware program designed to spread to other electronic systems by replicating and attaching itself to

other computer programs

Technology to able voice and video calls over the internet

An independent malware program designed to spread to other electronic systems by replicating itself

14

---

CENSIS is the centre of excellence for sensor and imaging

systems (SIS) and Internet of Things (IoT) technologies.

We help organisations of all sizes explore innovation

and overcome technology barriers to achieve business

transformation.

As one of Scotland’s Innovation Centres, our focus is not

only creating sustainable economic value in the Scottish

economy, but also generating social benefit. Our industryexperienced

engineering and project management teams

work with companies or in collaborative teams with university

research experts.

We act as independent trusted advisers, allowing

organisations to implement quality, efficiency and

performance improvements and fast-track the development

of new products and services for global markets.

Contact details:

CENSIS

The Inovo Building

121 George Street

Glasgow

G1 1RD

Tel: 0141 330 3876

Email: info @censis.org.uk

19.8.v1.ICS