Explaining why IoT (Internet of Things) devices must be secure by design. Published by CENSIS, the Innovation Centre for sensing, imaging and IoT.
censis.org.uk
Cyber
Security
and IoT
Explaining why IoT (Internet of Things)
devices must be secure by design
censis.org.uk
Cyber security threats associated
with Internet of Things (IoT)
devices are evolving rapidly,
keeping pace with the increased
levels of IoT adoption across
a range of end markets and
application areas.
1
Integrating
cyber security
While IoT devices offer transformational benefits to organisations and individuals,
they require designers and manufacturers to be hyper-aware of the need to create
solutions with cyber security and privacy in mind.
It is essential to integrate security features during the design stages of IoT products
and services, making them ‘secure by design’ and without impacting their
functionality.
This document is part of a Scottish Government-funded programme to demonstrate
the transformative potential of IoT across some of Scotland’s key growth industries.
It is intended as an introduction to IoT cyber security best practice to mitigate risks
and provides links to additional sources of information.
Whether you are in the development, manufacture, supply or procurement of IoT
devices and services, this document provides what you need to know.
www.censis.org.uk
Contents
Internet of Things (IoT) in context 3
Cyber security overview 3
Cyber security vulnerabilities and risks 5
Common attack methods 7
IoT cyber security best practice and legislation 9
The future for IoT device security 11
Glossary 14
Text with an explanation in the Glossary on P14 is underlined the first time it is used.
If you are reading the printed version of this brochure, you can download a hyperlinked pdf at censis.org.uk/brochures
The information in this brochure is correct at time of writing. September 2019.
2
Cyber security overview
Q What is cyber security
Cyber security is essential in preventing harm to the
integrity of the electronic devices and services that
people and organisations use daily, as well as ensuring
the confidentiality of the data stored and transmitted.
Some of these devices and services form the
basis of our critical national infrastructure, such as
emergency services, communications, transport, defence
and utilities.
Cyber security involves the use of processes, technologies
and controls for the protection of devices, systems,
networks and data from cyber attacks and the ability to
recover from these attacks.
Cyber security good practice
Processes,
technologies
and
controls
Are
applied to
Devices,
systems,
networks
and data
Resulting
in
Protection from
cyber attacks
Ability to
recover from
attacks
Internet of Things (IoT) in context
Q What exactly does ‘Internet of Things’ mean?
A To simplify the vast amount of chat and hype around
IoT, think of it in its broadest sense as: ‘a system of
things using the internet or private network to
connect and communicate with each other’.
Q What ‘things’?
A We say ‘things’ but really mean ‘devices’ that are
connected via the internet to each other. Your phone
is probably such a device. Some watches are
internet-enabled. Often, you’ll hear ‘smart’ added to
the front of something to describe that it can
connect to the internet and chat to other devices,
e.g., smartphone, smartwatch, smart lighting. In an
IoT network, each device has a unique identifier
and can transfer and/or receive data over a network
connection.
Q But this is nothing new, haven’t devices been
connecting to the internet for years?
A Yes, they have. But technology has advanced so
much in recent times that we now have
the capability to connect many more
low cost, small, battery operated devices
to the internet. If we install a sensor on
such a device, the sensor can gather data,
then send the information over the
internet. This combined with the rise
of low-cost cloud computing is enabling
a vast amount of new opportunities.
For further information, read:
CENSIS ‘Getting started with IoT’
https://www.censis.org.uk/brochures
3
Q How is IoT cyber security different
to IT cyber security?
The main difference is that IoT devices are more connected
to the physical world. There is also a greater number
and wider range of types of IoT devices than IT devices.
The environments that IoT devices operate in are more
diverse than traditional IT systems and could include
being in remote areas, exposed to extreme weather or in a
situation in which they are vulnerable to tampering.
IoT devices are also procured, used or managed by a
wider range of people and are less likely to be maintained
and updated with the latest software when compared to
IT devices. While machine-to-machine communications
and attacks have been around for decades, IoT is a
relatively new term, and the most high-profile cyber
attacks have occurred in the last 10 years.
Q Why do intentional IoT cyber
attacks take place?
Intentional attacks on IoT devices occur for several
reasons, such as:
• Financial gain – a primary motivation for attacks is
either stealing information to sell or holding it for
extortion or ransom.
• Preventing or limiting ability to operate - possibly
motivated by revenge, differing beliefs, terrorism,
activism or an attempt to damage competitors
financially or reputationally. These could be attacks to
temporarily disrupt services or actions which could
lead to permanent physical damage to devices or
result in injury to users.
• Curiosity and challenge - while some attacks may be
financially motivated, others are driven by an interest
in technology, the challenge presented and the ability
to brag and boast about hacking activities.
Q Who commits cyber attacks?
There is no one profile of individual or organisation that
performs IoT attacks. They range from hackers working
alone or in small groups through to organised criminal
gangs and even nation states engaged in wider espionage
activity and/or cyber warfare.
Q How big a problem is an IoT
cyber attack?
We live in an increasingly hyper-connected world.
The introduction of IoT devices significantly increases
the surface of connected devices visible to be attacked
and thus the exposure to risk. IoT is therefore a potential
route into or to disrupt wider systems, applications and
networks, if not adequately protected.
The forecasts for the number of IoT devices varies but the
research organisation Gartner predicts that there will be
25 billion IoT devices by 2021. Bain & Company survey
reported that in 2018, 45% of IoT buyers in companies
cited security concerns as a factor limiting adoption.
These figures offer an indication of the size of the
challenge for both IoT developers and end users.
According to research by Dutch software firm Irdeto,
the financial risk to the UK from cyber attacks targeting
IoT devices could be approximately £1 billion annually,
a figure based on the current average cost per UK
business each year of £244,000.
Attacks tend
not to be
personal or specifically
targeted, it’s more often
the case that individuals
or organisations have
known IoT vulnerabilities,
making them easy targets
to attack
4
Cyber security vulnerabilities and risks
Technology evolution has led to the emergence of lowpower
IoT devices with high processing performance,
large internal data storage capacity and wireless
communications interconnectivity. The ability to integrate
small low-cost sensors into these devices has led to a
greater range of embedded and wearable products and
associated services. The inclusion of microphones and
cameras in IoT products has also raised concerns over
privacy, both in the workplace and in the home.
To increase the level of trust in the use of IoT devices and
services, reduce exposure to risk and drive greater adoption,
developers and manufacturers must be aware of the
potential vulnerabilities and ensure that these are reduced
or removed.
Vulnerabilities
IoT-based systems become vulnerable in several ways:
• Unsecure devices that are not password protected, or
that use simple, easy to break passwords that are not fit
for purpose
• Poor design, manufacturing and test processes
• Lack of IoT technical knowledge in companies
procuring solutions
• Unmaintained devices with firmware which has not
been kept up to date
• Poor device integration and configuration with other
electronic systems
• Undefined responsibility for IoT systems management
and maintenance
• Unused devices left connected to networks
• Unknown, forgotten, hidden - but exploitable - devices
network - these were devices like security cameras or
uninterruptable power supplies. Many were not registered
with the IT department and did not meet security
standards, making them vulnerable to attack.
The potential consequences in this case were very
worrying - the theft of personal medical data or an
attack on the systems that provide power to life-critical
machines in the event of a main power failure.
Good practice after identifying
vulnerability
It is good practice for organisations to develop and
publish a coordinated vulnerability disclosure (CVD)
process. A CVD process is the gathering of information
from whoever has found and legally reported a device
or service vulnerability, managing the distribution of the
information to stakeholders and disclosing the existence
and solutions to the stakeholders, often including the
public. It is generally expected that the reporting party will
not publicly share any knowledge of the vulnerability until
the process has been followed and ideally a solution or
mitigation is found.
These issues create particular challenges for smaller
or highly distributed organisations who may not have a
full-time member of staff responsible for cyber security.
It might fall to an IT or operations member of staff as only
part of their job.
Even in larger organisations with dedicated cyber security
staff, the sheer number of devices an organisation
handles can still create a challenge. This was highlighted
in a BBC interview with the Chief Information Security
Officer (CISO) for the largest health provider in New
Jersey, USA. The CISO was responsible for 13 hospitals
containing 30,000 computers, 300 apps, a data centre
and company mobile phones. During an IoT audit he
discovered 70,000 IoT devices accessing the company’s
5
Current IoT risk areas
• The Global Risks Report 2019 by the World Economic
Forum lists ‘Large-scale cyber-attacks’ and ‘Massive
incident of data fraud or theft’ as two of the top five
global risks in terms of likelihood during the next
10 years.
• The Economist Intelligence Unit’s (EIU) Top 10
Global Risks includes cyber-attacks and data integrity
concerns crippling large parts of the internet.
• Cambridge Global Risk Index 2019, a quantification
of the potential GDP impact, notes that cyber-attack
is the sixth highest financial risk ($39.7 Billion) after a
human pandemic and flooding.
• Security solutions company, Fortinet, reported in their
2018 4th Quarter Threat Landscape report that half
of the top 12 security exploits reported to their
company related to IoT devices.
• The digital information security company Gemalto
disclosed that only 48% of businesses can detect if
any of their IoT devices have suffered a security breach.
• ENISA Threat Landscape Report 2018 reports an
increasing number of attacks on Industrial Internet of
Things (IIoT) devices in utilities, oil and natural gas and
manufacturing sectors.
• F-Secure, a cyber security company with a
global presence, reported that the number of IoT
threats doubled in 2018, from 19 to 38 within a
12-month period.
Smart
televisions
Thermostats
Digital video
recorders/
network video
recorders
Voice over
IP (VOIP)
telephones
Networked
cameras
Popular
IoT
targets
Network
routers and
access points
Mobile
smartphones
Network
attached
storage
Printers
6
Common attack methods
Attacks on IoT devices are typically achieved in one of seven different ways, or by using a combination of the seven.
Exploits
Poor system
configuration
Distributed Denialof-Service
(DDoS)
IoT attack
methods
Cloud system and
data centre attacks
Man in middle attacks
Malware
Physical
Physical attacks
An IoT device can be compromised
if physical access can be gained to
external interfaces, such as USB ports
or test ports used in the manufacture,
maintenance or test of an IoT device.
Considered to be one of the earliest
cyber hacking tools designed to
cause physical damage to networked
equipment, Stuxnet was a malicious
computer worm aimed at industrial
control systems. It is believed to
have damaged Iranian uranium
enriching centrifuges in 2010 after
it was introduced to the
organisation’s network via a USB
stick. The organisation’s network was
not connected to the internet.
Exploits
Known vulnerabilities in an IoT
device’s hardware, embedded
software and operating system can
be exploited to gain access. These
vulnerabilities can range from poor
processing or formatting of data to
an insecure method for updating
the IoT device’s firmware and poor
memory management.
In 2017 the US Food and Drug
Administration (FDA) recalled 465,000
radio-controlled implantable cardiac
pacemakers due to identified cyber
security vulnerabilities; there were
concerns that hackers could control
the implanted devices. A firmware
update was issued to address the
vulnerabilities, allowing patients
whose devices were already fitted to
be updated and secured on the next
visit to their physician.
Poor system configuration
One of the simplest methods of
compromising an IoT device is by using
common, hardcoded, easily guessable
or weak passwords. Poor configurations
of an IoT device may also provide a
simple avenue to attack, for example
leaving a communications port open or
a backdoor login for test purposes.
In 2018 there were reports of an
audacious cyber attack saw a US casino
suffer a significant theft of data when its
IT networked systems were breached
via an IoT smart fish tank controller.
The poor configuration of the casino’s
network between the IoT and IT
systems led to 10 gigabytes of company
data being transferred to Finland before
the hack was identified and stopped.
7
Malware
Malware is software designed to
infiltrate and damage, control or
disable electronics systems, including
IoT devices. This can come in many
forms including viruses, worms,
trojans, ransomware, rootkit, spyware,
adware and keyloggers. Malware can
be used to form collectives of ‘bots’
(Botnets) for performing automated
malicious attacks (see sub-section
below). According to cyber security
solutions company McAfee, in the
last year there has been a rise of
203% in IoT malware in the form of
‘cryptominers’ that hijack devices
for mining cryptocurrency which
is currently seen as a more lucrative
business than ransomware.
In December 2015, a regional
electricity distribution company in
Ukraine was attacked. The SCADA
system controlling, and monitoring
power distribution was targeted,
enabling the attacker to switch off
several substations. To obtain initial
access to the company systems,
malware was delivered by email. Two
additional power companies were
also attacked resulting in 225,000
customers losing power for several
hours.
DDoS
Distributed Denial-of-
Service (DDoS)
DDoS involves an attacker gaining
access into a large number of
distributed IoT devices. When access
has been obtained, the attacker gains
control of the devices (usually by
installing malware), turning each of
the devices into what is called a ‘Bot’
or Zombie. The attacker can then
instruct a group of ‘Bots’ to act as a
‘Botnet’ to send requests to target
internet addresses, such as cloud
service providers. The significant
amount of internet traffic generated
reduces the capacity or prevents
the target from servicing other valid
users. This can also stop each of
the IoT ‘Bot’ devices functioning as
originally intended.
An example of this is the 2016 Mirai
Botnet. Several high-profile attacks
happened that year, including an attack
on Dyn, an internet infrastructure
company. The attack prevented users
from accessing social media accounts
and other popular websites in the US
and Europe. Mirai was one of the first
pieces of software to enable largescale
DDoS attacks. Mirai scans internet
addresses to find devices, e.g., digital
video recorders and CCTV cameras,
with unsafe, easy to guess, default
usernames and passwords; then it logsin
and configures the devices to send
data to an online target. With enough of
these devices or ‘bots’ sending data, the
online target is overloaded with requests
from ‘bots’ and is unable to accept
requests from legitimate users. More
than 100,000 devices were thought
to have been targeted, taken over, and
used in this attack.
Man-in-middle attacks
This describes where someone
intercepts communications between
IoT devices and/or other Internetconnected
systems. The attacker
poses as the original sender of the
data. This allows eavesdropping and
the ability to send data to and receive
data from the IoT devices undetected,
enabling manipulation of the IoT
devices and connected systems.
Cloud system and data
centre attacks
Cloud system and data centre attacks
can be performed in several ways
by targeting parts of the system
architecture. This may include
attacking the web server function
used to provide IoT dashboards
(displaying data from the IoT devices
or providing centralised control of IoT
devices), or attacking the database
systems used to store gathered IoT
data. As many IoT devices rely on a
cloud system to function correctly,
as part of the overall IoT solution, this
may render the IoT incapacitated or
severely limit the ability for the IoT
devices to function.
IoT attack
surface
IoT
device
Man-in-the-middle
Comms.
network
infrastructure
Man-in-the-middle
Cloud providers
Malware, exploits, poor system configuration and physical attack (Arrows show direction of attack/target)
8
IoT cyber security best practice
and legislation
In order to drive greater adoption of IoT, the public
needs to feel comfortable that the products and services
they buy or use are not only fit for purpose in terms
of functionality, but that they also protect them from
potential cyber-related threats.
To this end, the UK government has created a best
practice guide for IoT cyber security for manufacturers of
products and service providers. The objective of the Code
of Practice for Consumer IoT Security is to reduce the
challenge for individuals and organisations in making their
own assessment of what is cyber secure.
In the 2018 IDG Security Priorities Study 74% of
business respondents stated that best practices determine
their priority for security spending.
The UK Government takes
the issue of consumer IoT
security very seriously. We recognise the
urgent need to move the expectation
away from consumers securing their
own devices and instead ensure that
strong cyber security is built into these
products by design.”
“A recent survey of 6,482 consumers
has shown that when purchasing a
new consumer IoT product, ‘security’
is the third most important information
category (higher than privacy or design)
and among those who didn’t rank
‘security’ as a top-four consideration,
72% said that they expected security to
already be built into devices that were
already on the market”
Source: Consultation on the Government’s regulatory proposals
regarding consumer Internet of Things (IoT) security, May 2019
Best Practice Guides
In October 2018, the UK Government Department
for Digital, Culture, Media & Sport (DCMS) published
the Code of Practice for Consumer IoT Security.
These guidelines are aimed at everyone involved in the
development, manufacture, service provision and retail of
consumer IoT devices and services to ensure that they are
‘secure by design’.
The code considers consumers to be all end-users of IoT
products and services. Products include children’s toys,
smart cameras and TVs, wearable health trackers, home
automation and safety products such as smoke detectors
and burglar alarms.
While focused on products and services typically used in
the home, the general principles are applicable to those
used in commercial and industrial environments.
The Code includes a prioritised list of 13 good practice
IoT security guidelines:
1 No default passwords
All IoT device passwords shall be unique and not
resettable to any universal factory default value
2 Implement a vulnerability disclosure policy
All companies that provide internet-connected
devices and services shall provide a public point of
contact as part of a vulnerability disclosure policy in
order that security researchers and others are able
to report issues. Disclosed vulnerabilities should be
acted on in a timely manner.
3 Keep software updated
Software components in internet-connected devices
should be securely updateable. Updates shall be
timely and should not impact on the functioning of
the device. An end-of-life policy shall be published
for end-point devices which explicitly states the
minimum length of time for which a device will
receive software updates and the reasons for the
length of the support period. The need for each
update should be made clear to consumers and an
update should be easy to implement. For constrained
devices that cannot physically be updated, the
product should be isolatable and replaceable.
4 Securely store credentials and security-sensitive data
Any credentials shall be stored securely within services
and on devices. Hard-coded credentials in device
software are not acceptable.
5 Communicate securely
Security-sensitive data, including any remote
management and control, should be encrypted in
transit, appropriate to the properties of the technology
and usage. All keys should be managed securely.
6 Minimise exposed attack surfaces
All devices and services should operate on the
‘principle of least privilege’; unused ports should be
9
closed, hardware should not unnecessarily expose
access, services should not be available if they are not
used and code should be minimised to the
functionality necessary for the service to operate.
Software should run with appropriate privileges, taking
account of both security and functionality.
7 Ensure software integrity
Software on IoT devices should be verified using
secure boot mechanisms. If an unauthorised change
is detected, the device should alert the consumer/
administrator to an issue and should not connect
to wider networks than those necessary to perform
the alerting function.
8 Ensure that personal data is protected
Where devices and/or services process personal
data, they shall do so in accordance with applicable
data protection law, such as the General Data
Protection Regulation (GDPR) and the Data Protection
Act 2018. Device manufacturers and IoT service
providers shall provide consumers with clear and
transparent information about how their data is being
used, by whom, and for what purposes, for each
device and service. This also applies to any third
parties that may be involved (including advertisers).
Where personal data is processed on the basis of
consumers’ consent, this shall be validly and lawfully
obtained, with those consumers being given the
opportunity to withdraw it at any time.
9 Make systems resilient to outages
Resilience should be built in to IoT devices and
services where required by their usage or by other
relying systems, taking into account the possibility of
outages of data networks and power. As far as
reasonably possible, IoT services should remain
operating and locally functional in the case of a loss
of network and should recover cleanly in the case of
restoration of a loss of power. Devices should be able
to return to a network in a sensible state and in an
orderly fashion, rather than in a massive scale
reconnect.
10 Monitor system telemetry data
If telemetry data is collected from IoT devices and
services, such as usage and measurement data, it
should be monitored for security anomalies.
11 Make it easy for consumers to delete personal data
Devices and services should be configured such that
personal data can easily be removed from them when
there is a transfer of ownership, when the consumer
wishes to delete it and/or when the consumer wishes
to dispose of the device. Consumers should be given
clear instructions on how to delete their personal data.
12 Make installation and maintenance of devices easy
Installation and maintenance of IoT devices should
employ minimal steps and should follow security best
practice on usability. Consumers should also be
provided with guidance on how to securely set up
their device.
13. Validate input data
Data input via user interfaces and transferred via
application programming interfaces (APIs) or
between networks in services and devices shall
be validated.
Reproduced from Code of Practice for Consumer IoT Security.
Please read the Code for more information on each of the above
guidelines. The Department for Digital, Culture, Media and Sport will
periodically review the Code and publish updates, at least every two years.
Please visit https://www.gov.uk/government/collections/secure-by-design
to be kept informed.
10
The future for IoT device security
As IoT solutions evolve, so do the threats against them.
In the short-term companies, can ensure that they get
the basics of IoT cyber security correct. In the long-term,
to ensure companies maintain cyber security, foresighting
is required to identify new and emerging threats and
develop methods to mitigate against these. This is being
supported by governments, academic institutions, trade
bodies and commercial organisations.
In addition to the published Code of Practice for
Consumer IoT Security, several other industry and
government organisations have published their own
IoT security recommendations and guides. These
guides serve to support the design, manufacturing and
procurement processes of IoT components and systems.
While the majority of guides focus on the security of
software and communications, physical security for IoT
hardware is also of importance and covered in more
detail in articles such as IoTSF’s physical security article.
Further sources for guides:
• National Cyber Security Centre (NCSC)
www.ncsc.gov.uk
• Internet of Things Security Foundation (IoTSF)
www.iotsecurityfoundation.org
• EU Agency for Cybersecurity (formerly the
European Union Agency for Network and Information
Security - ENISA) www.enisa.europa.eu
• GSM Association (GSMA) www.gsma.com
• The National Institute of Standards and
Technology (NIST) www.nist.gov
• OWASP Foundation www.owasp.org
IoT-focused labelling, standards and
legislation
It is not enough to merely encourage the adoption of best
practice in the design of new products or services; industry
should also adopt common labelling that clearly shows
consumers that best practice has been followed. Not only
would this provide comfort and peace of mind to buyers;
it helps a manufacturer or service provider to stand out
from the competition and enhances their reputation as a
cyber security-focused company.
In a recent research paper by Harris Interactive, 73% of
people interviewed felt it is important or very important
to introduce labels that highlight the security features on
consumer IoT devices. Respondents also said that they
would pay up to 10% more for the product.
In May 2019, the UK Government launched a consultation
on its regulatory proposals for consumer IoT security,
stating its ambition for the first three points of its Code of
Practice for Consumer IoT Security launched in October
2018 to become mandatory. These are:
1 All IoT device passwords shall be unique and shall not
be resettable to any universal factory default value
2 The manufacturer shall provide a public point of
contact as part of a vulnerability disclosure policy
in order that security researchers and others are able
to report issues
3 Manufacturers will explicitly state the minimum
length of time for which the product will receive
security updates.
The consultation explored various options for the mandatory
labelling of IoT devices. It is expected that security labelling
will initially be introduced on a voluntary basis.
Proposed labels:
Positive
Essential security
features included
DEC
2021
Security updates
until at least Dec 2021
Essential security
features NOT included
Negative
Security updates
NOT provided
Source: https://www.gov.uk/government/consultations/consultationon-regulatory-proposals-on-consumer-iot-security/consultation-onthe-governments-regulatory-proposals-regarding-consumer-internetof-things-iot-security
Building on the 2018 UK Code of Practice, the European
Telecommunications Standards Institute (ETSI) released the
world’s first standard (ETSI TS 103 645) for consumer IoT
security in February 2019. Designed with worldwide needs
in mind, its purpose is to create a baseline for IoT security,
and will be used as the baseline for future IoT certification
schemes.
Other activities specifically focused on certification and
labelling include the British Standards Institute (BSI)
Kitemark TM for IoT devices, launched in 2018. Used for
over 100 years, the Kitemark is a well-recognised logo,
that indicates quality and safety in British products. Three
different Kitemarks for IoT devices exist; residential,
commercial and enhanced for residential or commercial
products used in high risk or high value applications.
Unlike the proposed UK regulation, the BSI IoT
assessment is not self-certification based, it requires:
• The IoT developer to hold compliance to the
ISO 9001 quality standards.
• Pass IoT product tests for functionality, interoperability
and security.
• Perform regular monitoring assessments of their
labelled products.
11
EU and US cyber security legislation
The new EU Cyber Security Act will come into force
providing ENISA, the European Union Agency for
Cybersecurity, an ongoing mandate to help the EU achieve
a common, high-level of cyber security across all member
states through better communication and collaboration.
ENISA’s remit includes the creation of a common European
cyber security certification framework for information and
communications technology (ICT) products, processes
and services, including IoT. This will work alongside
other regulation and EU directives, including General
Data Protection Regulation (GDPR) and Network and
Information Security Directive (NIS Directive), which,
respectively, focus on personal information security and
overall security and resilience of networks and information
systems in critical sectors.
Other regulation activities in IoT-related cyber security
elsewhere in the world include the approval of the
Californian Security of Connected Devices bill in USA.
The 2018 bill aims are:
“This bill, beginning on January 1, 2020, would require a
manufacturer of a connected device, as those terms are
defined, to equip the device with a reasonable security
feature or features that are appropriate to the nature and
function of the device, appropriate to the information it
may collect, contain, or transmit, and designed to protect
the device and any information contained therein from
unauthorized access, destruction, use, modification, or
disclosure, as specified.”
In March 2019 the US Senate reintroduced the IoT
Cybersecurity Improvement Act. The purpose of the act is
similar to the activities in the UK in developing a baseline
of cyber security requirements for IoT devices. To support
this, the American National Institute of Standards and
Technology (NIST) will issue recommendations addressing,
at a minimum, secure development, identity management,
patching, and configuration management for IoT devices.
This legislation is likely to affect Scottish companies
looking to export IoT devices and provide IoT services into
the EU and the US.
Summary
This document has introduced IoT cyber security and
the importance of the ‘secure by design’ principle, to
protect end users of IoT products and services. While the
effect of a hack on a single vulnerable IoT device may not
seem of concern, its interconnection to other systems
could result in a greater impact, whether it be data
theft or incapacitating the operation of a company.
A collective effort in following best practice will help to
ensure that IoT users will reap the benefits without being
exposed to unnecessary cyber security-related risks.
To support this effort, CENSIS has been commissioned by the
Scottish Government and Scottish Enterprise to run an IoT
cyber security programme over 2019/2020. The programme
of activity will include a series of workshops, an accelerator
programme and a themed hackathon to support innovation
and economic development in IoT cyber security.
12
Finding IoT expertise
If you have an idea for a product or service that could bring
value to your business and your customers, there are a
number of organisations who could support your plans.
If you contact CENSIS in the first instance, we can signpost
you to a suitable organisation for your needs, or we may be
able to provide advice, technical support and the resources
you need to create a full solution.
At CENSIS we see most IoT projects starting off as small-scale
pilots to test the functionality with off-the-shelf components
or modular electronics. This allows users to explore what
information is useful to gather and if the system will be
suitable for their requirements. A smaller pilot also allows all
the stakeholders to test, play, and understand the potential
impact of a larger scale rollout.
censis.org.uk
Your first prototype
Joining the IoT community
in Scotland
There are many organisations setting out on their IoT journey
and finding value in sharing thoughts and challenges.
With our experience across a huge range of market sectors
and our knowledge of enabling technologies, CENSIS has
strong relationships with Scottish companies, public sector
organisations, university research groups and hardware and
software suppliers.
As part of our CENSIS community, you can join in with
our regular IoT meetups to discuss ideas with like-minded
people, take part in one of our hands-on technical
workshops or come along to one of our Future Tech events
to solve market sector problems in an open forum.
The highlight of our year is the annual CENSIS Technology
Summit and Conference, where we hear from challenge
providers, meet exhibitors who are showcasing new
technologies, and network and connect with the sensors,
imaging and IoT community.
There are many ‘out of the box’, turnkey solutions that you
can buy off the shelf to let you create a first prototype and
test your IoT solution.
CENSIS has created a flexible IoT development kit that can
help you get up and running with IoT quickly and without
the need for deep technical knowledge. This has a range of
popular sensors, communication and power options and is
flexible to allow the user to measure and send data easily.
It allows users to explore IoT concepts without having to
code or configure networks themselves.
Join our
community at
censis.org.uk
13
Glossary
Please note that details of sources mentioned in this document may be found in the online version available at: censis.org.uk/brochures
TERM MEANING
Adware
Application Programming Interfaces (APIs)
Attack surface
Backdoor
Boot mechanism
Bots
Cloud system
Cryptominers
DDoS
Dashboard
Firmware
Hacking/Hacker
Industrial Internet of Things (IIoT)
Keyloggers
Machine to machine communication (M2)
Malware
Port
Ransomware
Rootkit
Routers
SCADA
Secure by design
Spyware
Trojan
Viruses
Voice over Internet Protocol (VOIP)
Worms
Unwanted software designed to display advertisements
The specification and software implementation enabling programs to communicate
The total of the vulnerabilities of a device or system
A method for bypassing security providing access to an IoT device or system
The process by which a device starts-up before use
Software that performs an automated task
Shared computer data centre providing services, such as data storage
Software designed to generate money through complex mathematical calculation
Distributed denial-of-service, an attack with the aim of incapacitating a system preventing it servicing genuine users
Also known as a User Interface or UI, this allows a person to interact with the computer system,
e.g., a computer screen, tablet, mobile phone.
Software controlling the low-level functionality of hardware
Breaking into electronic systems (often the term ‘cracker’ is used instead to indicate a hacker with malicious intent)
IoT used in manufacturing and industrial processes
Software or hardware designed to monitor and collect key-presses by a user
Machine to machine connected devices exchanging information with other connected devices, without
human intervention.
Software designed with an intended malicious purpose
A physical or virtual interface on a device for connecting to an external device(s)
Malware designed to perform an action with intent of extorting a ransom
Malware designed to provide covert external access to an electronic system
A device that directs computer/IoT network traffic
Supervisory control and data acquisition system
Designing a product, service or process with security in mind from development stage
A malware program designed to covertly gather information without consent
A malware program that looks legitimate but hides its malicious purpose
A malware program designed to spread to other electronic systems by replicating and attaching itself to
other computer programs
Technology to able voice and video calls over the internet
An independent malware program designed to spread to other electronic systems by replicating itself
14
CENSIS is the centre of excellence for sensor and imaging
systems (SIS) and Internet of Things (IoT) technologies.
We help organisations of all sizes explore innovation
and overcome technology barriers to achieve business
transformation.
As one of Scotland’s Innovation Centres, our focus is not
only creating sustainable economic value in the Scottish
economy, but also generating social benefit. Our industryexperienced
engineering and project management teams
work with companies or in collaborative teams with university
research experts.
We act as independent trusted advisers, allowing
organisations to implement quality, efficiency and
performance improvements and fast-track the development
of new products and services for global markets.
Contact details:
CENSIS
The Inovo Building
121 George Street
Glasgow
G1 1RD
Tel: 0141 330 3876
Email: info @censis.org.uk
19.8.v1.ICS