Cyber Security and IoT

Explaining why IoT (Internet of Things) devices must be secure by design. Published by CENSIS, the Innovation Centre for sensing, imaging and IoT. censis.org.uk

Explaining why IoT (Internet of Things) devices must be secure by design. Published by CENSIS, the Innovation Centre for sensing, imaging and IoT.


Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>Cyber</strong><br />

<strong>Security</strong><br />

<strong>and</strong> <strong>IoT</strong><br />

Explaining why <strong>IoT</strong> (Internet of Things)<br />

devices must be secure by design<br />


<strong>Cyber</strong> security threats associated<br />

with Internet of Things (<strong>IoT</strong>)<br />

devices are evolving rapidly,<br />

keeping pace with the increased<br />

levels of <strong>IoT</strong> adoption across<br />

a range of end markets <strong>and</strong><br />

application areas.<br />


Integrating<br />

cyber security<br />

While <strong>IoT</strong> devices offer transformational benefits to organisations <strong>and</strong> individuals,<br />

they require designers <strong>and</strong> manufacturers to be hyper-aware of the need to create<br />

solutions with cyber security <strong>and</strong> privacy in mind.<br />

It is essential to integrate security features during the design stages of <strong>IoT</strong> products<br />

<strong>and</strong> services, making them ‘secure by design’ <strong>and</strong> without impacting their<br />

functionality.<br />

This document is part of a Scottish Government-funded programme to demonstrate<br />

the transformative potential of <strong>IoT</strong> across some of Scotl<strong>and</strong>’s key growth industries.<br />

It is intended as an introduction to <strong>IoT</strong> cyber security best practice to mitigate risks<br />

<strong>and</strong> provides links to additional sources of information.<br />

Whether you are in the development, manufacture, supply or procurement of <strong>IoT</strong><br />

devices <strong>and</strong> services, this document provides what you need to know.<br />

www.censis.org.uk<br />

Contents<br />

Internet of Things (<strong>IoT</strong>) in context 3<br />

<strong>Cyber</strong> security overview 3<br />

<strong>Cyber</strong> security vulnerabilities <strong>and</strong> risks 5<br />

Common attack methods 7<br />

<strong>IoT</strong> cyber security best practice <strong>and</strong> legislation 9<br />

The future for <strong>IoT</strong> device security 11<br />

Glossary 14<br />

Text with an explanation in the Glossary on P14 is underlined the first time it is used.<br />

If you are reading the printed version of this brochure, you can download a hyperlinked pdf at censis.org.uk/brochures<br />

The information in this brochure is correct at time of writing. September 2019.<br />


<strong>Cyber</strong> security overview<br />

Q What is cyber security<br />

<strong>Cyber</strong> security is essential in preventing harm to the<br />

integrity of the electronic devices <strong>and</strong> services that<br />

people <strong>and</strong> organisations use daily, as well as ensuring<br />

the confidentiality of the data stored <strong>and</strong> transmitted.<br />

Some of these devices <strong>and</strong> services form the<br />

basis of our critical national infrastructure, such as<br />

emergency services, communications, transport, defence<br />

<strong>and</strong> utilities.<br />

<strong>Cyber</strong> security involves the use of processes, technologies<br />

<strong>and</strong> controls for the protection of devices, systems,<br />

networks <strong>and</strong> data from cyber attacks <strong>and</strong> the ability to<br />

recover from these attacks.<br />

<strong>Cyber</strong> security good practice<br />

Processes,<br />

technologies<br />

<strong>and</strong><br />

controls<br />

Are<br />

applied to<br />

Devices,<br />

systems,<br />

networks<br />

<strong>and</strong> data<br />

Resulting<br />

in<br />

Protection from<br />

cyber attacks<br />

Ability to<br />

recover from<br />

attacks<br />

Internet of Things (<strong>IoT</strong>) in context<br />

Q What exactly does ‘Internet of Things’ mean?<br />

A To simplify the vast amount of chat <strong>and</strong> hype around<br />

<strong>IoT</strong>, think of it in its broadest sense as: ‘a system of<br />

things using the internet or private network to<br />

connect <strong>and</strong> communicate with each other’.<br />

Q What ‘things’?<br />

A We say ‘things’ but really mean ‘devices’ that are<br />

connected via the internet to each other. Your phone<br />

is probably such a device. Some watches are<br />

internet-enabled. Often, you’ll hear ‘smart’ added to<br />

the front of something to describe that it can<br />

connect to the internet <strong>and</strong> chat to other devices,<br />

e.g., smartphone, smartwatch, smart lighting. In an<br />

<strong>IoT</strong> network, each device has a unique identifier<br />

<strong>and</strong> can transfer <strong>and</strong>/or receive data over a network<br />

connection.<br />

Q But this is nothing new, haven’t devices been<br />

connecting to the internet for years?<br />

A Yes, they have. But technology has advanced so<br />

much in recent times that we now have<br />

the capability to connect many more<br />

low cost, small, battery operated devices<br />

to the internet. If we install a sensor on<br />

such a device, the sensor can gather data,<br />

then send the information over the<br />

internet. This combined with the rise<br />

of low-cost cloud computing is enabling<br />

a vast amount of new opportunities.<br />

For further information, read:<br />

CENSIS ‘Getting started with <strong>IoT</strong>’<br />

https://www.censis.org.uk/brochures<br />


Q How is <strong>IoT</strong> cyber security different<br />

to IT cyber security?<br />

The main difference is that <strong>IoT</strong> devices are more connected<br />

to the physical world. There is also a greater number<br />

<strong>and</strong> wider range of types of <strong>IoT</strong> devices than IT devices.<br />

The environments that <strong>IoT</strong> devices operate in are more<br />

diverse than traditional IT systems <strong>and</strong> could include<br />

being in remote areas, exposed to extreme weather or in a<br />

situation in which they are vulnerable to tampering.<br />

<strong>IoT</strong> devices are also procured, used or managed by a<br />

wider range of people <strong>and</strong> are less likely to be maintained<br />

<strong>and</strong> updated with the latest software when compared to<br />

IT devices. While machine-to-machine communications<br />

<strong>and</strong> attacks have been around for decades, <strong>IoT</strong> is a<br />

relatively new term, <strong>and</strong> the most high-profile cyber<br />

attacks have occurred in the last 10 years.<br />

Q Why do intentional <strong>IoT</strong> cyber<br />

attacks take place?<br />

Intentional attacks on <strong>IoT</strong> devices occur for several<br />

reasons, such as:<br />

• Financial gain – a primary motivation for attacks is<br />

either stealing information to sell or holding it for<br />

extortion or ransom.<br />

• Preventing or limiting ability to operate - possibly<br />

motivated by revenge, differing beliefs, terrorism,<br />

activism or an attempt to damage competitors<br />

financially or reputationally. These could be attacks to<br />

temporarily disrupt services or actions which could<br />

lead to permanent physical damage to devices or<br />

result in injury to users.<br />

• Curiosity <strong>and</strong> challenge - while some attacks may be<br />

financially motivated, others are driven by an interest<br />

in technology, the challenge presented <strong>and</strong> the ability<br />

to brag <strong>and</strong> boast about hacking activities.<br />

Q Who commits cyber attacks?<br />

There is no one profile of individual or organisation that<br />

performs <strong>IoT</strong> attacks. They range from hackers working<br />

alone or in small groups through to organised criminal<br />

gangs <strong>and</strong> even nation states engaged in wider espionage<br />

activity <strong>and</strong>/or cyber warfare.<br />

Q How big a problem is an <strong>IoT</strong><br />

cyber attack?<br />

We live in an increasingly hyper-connected world.<br />

The introduction of <strong>IoT</strong> devices significantly increases<br />

the surface of connected devices visible to be attacked<br />

<strong>and</strong> thus the exposure to risk. <strong>IoT</strong> is therefore a potential<br />

route into or to disrupt wider systems, applications <strong>and</strong><br />

networks, if not adequately protected.<br />

The forecasts for the number of <strong>IoT</strong> devices varies but the<br />

research organisation Gartner predicts that there will be<br />

25 billion <strong>IoT</strong> devices by 2021. Bain & Company survey<br />

reported that in 2018, 45% of <strong>IoT</strong> buyers in companies<br />

cited security concerns as a factor limiting adoption.<br />

These figures offer an indication of the size of the<br />

challenge for both <strong>IoT</strong> developers <strong>and</strong> end users.<br />

According to research by Dutch software firm Irdeto,<br />

the financial risk to the UK from cyber attacks targeting<br />

<strong>IoT</strong> devices could be approximately £1 billion annually,<br />

a figure based on the current average cost per UK<br />

business each year of £244,000.<br />

Attacks tend<br />

not to be<br />

personal or specifically<br />

targeted, it’s more often<br />

the case that individuals<br />

or organisations have<br />

known <strong>IoT</strong> vulnerabilities,<br />

making them easy targets<br />

to attack<br />


<strong>Cyber</strong> security vulnerabilities <strong>and</strong> risks<br />

Technology evolution has led to the emergence of lowpower<br />

<strong>IoT</strong> devices with high processing performance,<br />

large internal data storage capacity <strong>and</strong> wireless<br />

communications interconnectivity. The ability to integrate<br />

small low-cost sensors into these devices has led to a<br />

greater range of embedded <strong>and</strong> wearable products <strong>and</strong><br />

associated services. The inclusion of microphones <strong>and</strong><br />

cameras in <strong>IoT</strong> products has also raised concerns over<br />

privacy, both in the workplace <strong>and</strong> in the home.<br />

To increase the level of trust in the use of <strong>IoT</strong> devices <strong>and</strong><br />

services, reduce exposure to risk <strong>and</strong> drive greater adoption,<br />

developers <strong>and</strong> manufacturers must be aware of the<br />

potential vulnerabilities <strong>and</strong> ensure that these are reduced<br />

or removed.<br />

Vulnerabilities<br />

<strong>IoT</strong>-based systems become vulnerable in several ways:<br />

• Unsecure devices that are not password protected, or<br />

that use simple, easy to break passwords that are not fit<br />

for purpose<br />

• Poor design, manufacturing <strong>and</strong> test processes<br />

• Lack of <strong>IoT</strong> technical knowledge in companies<br />

procuring solutions<br />

• Unmaintained devices with firmware which has not<br />

been kept up to date<br />

• Poor device integration <strong>and</strong> configuration with other<br />

electronic systems<br />

• Undefined responsibility for <strong>IoT</strong> systems management<br />

<strong>and</strong> maintenance<br />

• Unused devices left connected to networks<br />

• Unknown, forgotten, hidden - but exploitable - devices<br />

network - these were devices like security cameras or<br />

uninterruptable power supplies. Many were not registered<br />

with the IT department <strong>and</strong> did not meet security<br />

st<strong>and</strong>ards, making them vulnerable to attack.<br />

The potential consequences in this case were very<br />

worrying - the theft of personal medical data or an<br />

attack on the systems that provide power to life-critical<br />

machines in the event of a main power failure.<br />

Good practice after identifying<br />

vulnerability<br />

It is good practice for organisations to develop <strong>and</strong><br />

publish a coordinated vulnerability disclosure (CVD)<br />

process. A CVD process is the gathering of information<br />

from whoever has found <strong>and</strong> legally reported a device<br />

or service vulnerability, managing the distribution of the<br />

information to stakeholders <strong>and</strong> disclosing the existence<br />

<strong>and</strong> solutions to the stakeholders, often including the<br />

public. It is generally expected that the reporting party will<br />

not publicly share any knowledge of the vulnerability until<br />

the process has been followed <strong>and</strong> ideally a solution or<br />

mitigation is found.<br />

These issues create particular challenges for smaller<br />

or highly distributed organisations who may not have a<br />

full-time member of staff responsible for cyber security.<br />

It might fall to an IT or operations member of staff as only<br />

part of their job.<br />

Even in larger organisations with dedicated cyber security<br />

staff, the sheer number of devices an organisation<br />

h<strong>and</strong>les can still create a challenge. This was highlighted<br />

in a BBC interview with the Chief Information <strong>Security</strong><br />

Officer (CISO) for the largest health provider in New<br />

Jersey, USA. The CISO was responsible for 13 hospitals<br />

containing 30,000 computers, 300 apps, a data centre<br />

<strong>and</strong> company mobile phones. During an <strong>IoT</strong> audit he<br />

discovered 70,000 <strong>IoT</strong> devices accessing the company’s<br />


Current <strong>IoT</strong> risk areas<br />

• The Global Risks Report 2019 by the World Economic<br />

Forum lists ‘Large-scale cyber-attacks’ <strong>and</strong> ‘Massive<br />

incident of data fraud or theft’ as two of the top five<br />

global risks in terms of likelihood during the next<br />

10 years.<br />

• The Economist Intelligence Unit’s (EIU) Top 10<br />

Global Risks includes cyber-attacks <strong>and</strong> data integrity<br />

concerns crippling large parts of the internet.<br />

• Cambridge Global Risk Index 2019, a quantification<br />

of the potential GDP impact, notes that cyber-attack<br />

is the sixth highest financial risk ($39.7 Billion) after a<br />

human p<strong>and</strong>emic <strong>and</strong> flooding.<br />

• <strong>Security</strong> solutions company, Fortinet, reported in their<br />

2018 4th Quarter Threat L<strong>and</strong>scape report that half<br />

of the top 12 security exploits reported to their<br />

company related to <strong>IoT</strong> devices.<br />

• The digital information security company Gemalto<br />

disclosed that only 48% of businesses can detect if<br />

any of their <strong>IoT</strong> devices have suffered a security breach.<br />

• ENISA Threat L<strong>and</strong>scape Report 2018 reports an<br />

increasing number of attacks on Industrial Internet of<br />

Things (I<strong>IoT</strong>) devices in utilities, oil <strong>and</strong> natural gas <strong>and</strong><br />

manufacturing sectors.<br />

• F-Secure, a cyber security company with a<br />

global presence, reported that the number of <strong>IoT</strong><br />

threats doubled in 2018, from 19 to 38 within a<br />

12-month period.<br />

Smart<br />

televisions<br />

Thermostats<br />

Digital video<br />

recorders/<br />

network video<br />

recorders<br />

Voice over<br />

IP (VOIP)<br />

telephones<br />

Networked<br />

cameras<br />

Popular<br />

<strong>IoT</strong><br />

targets<br />

Network<br />

routers <strong>and</strong><br />

access points<br />

Mobile<br />

smartphones<br />

Network<br />

attached<br />

storage<br />

Printers<br />


Common attack methods<br />

Attacks on <strong>IoT</strong> devices are typically achieved in one of seven different ways, or by using a combination of the seven.<br />

Exploits<br />

Poor system<br />

configuration<br />

Distributed Denialof-Service<br />

(DDoS)<br />

<strong>IoT</strong> attack<br />

methods<br />

Cloud system <strong>and</strong><br />

data centre attacks<br />

Man in middle attacks<br />

Malware<br />

Physical<br />

Physical attacks<br />

An <strong>IoT</strong> device can be compromised<br />

if physical access can be gained to<br />

external interfaces, such as USB ports<br />

or test ports used in the manufacture,<br />

maintenance or test of an <strong>IoT</strong> device.<br />

Considered to be one of the earliest<br />

cyber hacking tools designed to<br />

cause physical damage to networked<br />

equipment, Stuxnet was a malicious<br />

computer worm aimed at industrial<br />

control systems. It is believed to<br />

have damaged Iranian uranium<br />

enriching centrifuges in 2010 after<br />

it was introduced to the<br />

organisation’s network via a USB<br />

stick. The organisation’s network was<br />

not connected to the internet.<br />

Exploits<br />

Known vulnerabilities in an <strong>IoT</strong><br />

device’s hardware, embedded<br />

software <strong>and</strong> operating system can<br />

be exploited to gain access. These<br />

vulnerabilities can range from poor<br />

processing or formatting of data to<br />

an insecure method for updating<br />

the <strong>IoT</strong> device’s firmware <strong>and</strong> poor<br />

memory management.<br />

In 2017 the US Food <strong>and</strong> Drug<br />

Administration (FDA) recalled 465,000<br />

radio-controlled implantable cardiac<br />

pacemakers due to identified cyber<br />

security vulnerabilities; there were<br />

concerns that hackers could control<br />

the implanted devices. A firmware<br />

update was issued to address the<br />

vulnerabilities, allowing patients<br />

whose devices were already fitted to<br />

be updated <strong>and</strong> secured on the next<br />

visit to their physician.<br />

Poor system configuration<br />

One of the simplest methods of<br />

compromising an <strong>IoT</strong> device is by using<br />

common, hardcoded, easily guessable<br />

or weak passwords. Poor configurations<br />

of an <strong>IoT</strong> device may also provide a<br />

simple avenue to attack, for example<br />

leaving a communications port open or<br />

a backdoor login for test purposes.<br />

In 2018 there were reports of an<br />

audacious cyber attack saw a US casino<br />

suffer a significant theft of data when its<br />

IT networked systems were breached<br />

via an <strong>IoT</strong> smart fish tank controller.<br />

The poor configuration of the casino’s<br />

network between the <strong>IoT</strong> <strong>and</strong> IT<br />

systems led to 10 gigabytes of company<br />

data being transferred to Finl<strong>and</strong> before<br />

the hack was identified <strong>and</strong> stopped.<br />


Malware<br />

Malware is software designed to<br />

infiltrate <strong>and</strong> damage, control or<br />

disable electronics systems, including<br />

<strong>IoT</strong> devices. This can come in many<br />

forms including viruses, worms,<br />

trojans, ransomware, rootkit, spyware,<br />

adware <strong>and</strong> keyloggers. Malware can<br />

be used to form collectives of ‘bots’<br />

(Botnets) for performing automated<br />

malicious attacks (see sub-section<br />

below). According to cyber security<br />

solutions company McAfee, in the<br />

last year there has been a rise of<br />

203% in <strong>IoT</strong> malware in the form of<br />

‘cryptominers’ that hijack devices<br />

for mining cryptocurrency which<br />

is currently seen as a more lucrative<br />

business than ransomware.<br />

In December 2015, a regional<br />

electricity distribution company in<br />

Ukraine was attacked. The SCADA<br />

system controlling, <strong>and</strong> monitoring<br />

power distribution was targeted,<br />

enabling the attacker to switch off<br />

several substations. To obtain initial<br />

access to the company systems,<br />

malware was delivered by email. Two<br />

additional power companies were<br />

also attacked resulting in 225,000<br />

customers losing power for several<br />

hours.<br />

DDoS<br />

Distributed Denial-of-<br />

Service (DDoS)<br />

DDoS involves an attacker gaining<br />

access into a large number of<br />

distributed <strong>IoT</strong> devices. When access<br />

has been obtained, the attacker gains<br />

control of the devices (usually by<br />

installing malware), turning each of<br />

the devices into what is called a ‘Bot’<br />

or Zombie. The attacker can then<br />

instruct a group of ‘Bots’ to act as a<br />

‘Botnet’ to send requests to target<br />

internet addresses, such as cloud<br />

service providers. The significant<br />

amount of internet traffic generated<br />

reduces the capacity or prevents<br />

the target from servicing other valid<br />

users. This can also stop each of<br />

the <strong>IoT</strong> ‘Bot’ devices functioning as<br />

originally intended.<br />

An example of this is the 2016 Mirai<br />

Botnet. Several high-profile attacks<br />

happened that year, including an attack<br />

on Dyn, an internet infrastructure<br />

company. The attack prevented users<br />

from accessing social media accounts<br />

<strong>and</strong> other popular websites in the US<br />

<strong>and</strong> Europe. Mirai was one of the first<br />

pieces of software to enable largescale<br />

DDoS attacks. Mirai scans internet<br />

addresses to find devices, e.g., digital<br />

video recorders <strong>and</strong> CCTV cameras,<br />

with unsafe, easy to guess, default<br />

usernames <strong>and</strong> passwords; then it logsin<br />

<strong>and</strong> configures the devices to send<br />

data to an online target. With enough of<br />

these devices or ‘bots’ sending data, the<br />

online target is overloaded with requests<br />

from ‘bots’ <strong>and</strong> is unable to accept<br />

requests from legitimate users. More<br />

than 100,000 devices were thought<br />

to have been targeted, taken over, <strong>and</strong><br />

used in this attack.<br />

Man-in-middle attacks<br />

This describes where someone<br />

intercepts communications between<br />

<strong>IoT</strong> devices <strong>and</strong>/or other Internetconnected<br />

systems. The attacker<br />

poses as the original sender of the<br />

data. This allows eavesdropping <strong>and</strong><br />

the ability to send data to <strong>and</strong> receive<br />

data from the <strong>IoT</strong> devices undetected,<br />

enabling manipulation of the <strong>IoT</strong><br />

devices <strong>and</strong> connected systems.<br />

Cloud system <strong>and</strong> data<br />

centre attacks<br />

Cloud system <strong>and</strong> data centre attacks<br />

can be performed in several ways<br />

by targeting parts of the system<br />

architecture. This may include<br />

attacking the web server function<br />

used to provide <strong>IoT</strong> dashboards<br />

(displaying data from the <strong>IoT</strong> devices<br />

or providing centralised control of <strong>IoT</strong><br />

devices), or attacking the database<br />

systems used to store gathered <strong>IoT</strong><br />

data. As many <strong>IoT</strong> devices rely on a<br />

cloud system to function correctly,<br />

as part of the overall <strong>IoT</strong> solution, this<br />

may render the <strong>IoT</strong> incapacitated or<br />

severely limit the ability for the <strong>IoT</strong><br />

devices to function.<br />

<strong>IoT</strong> attack<br />

surface<br />

<strong>IoT</strong><br />

device<br />

Man-in-the-middle<br />

Comms.<br />

network<br />

infrastructure<br />

Man-in-the-middle<br />

Cloud providers<br />

Malware, exploits, poor system configuration <strong>and</strong> physical attack (Arrows show direction of attack/target)<br />


<strong>IoT</strong> cyber security best practice<br />

<strong>and</strong> legislation<br />

In order to drive greater adoption of <strong>IoT</strong>, the public<br />

needs to feel comfortable that the products <strong>and</strong> services<br />

they buy or use are not only fit for purpose in terms<br />

of functionality, but that they also protect them from<br />

potential cyber-related threats.<br />

To this end, the UK government has created a best<br />

practice guide for <strong>IoT</strong> cyber security for manufacturers of<br />

products <strong>and</strong> service providers. The objective of the Code<br />

of Practice for Consumer <strong>IoT</strong> <strong>Security</strong> is to reduce the<br />

challenge for individuals <strong>and</strong> organisations in making their<br />

own assessment of what is cyber secure.<br />

In the 2018 IDG <strong>Security</strong> Priorities Study 74% of<br />

business respondents stated that best practices determine<br />

their priority for security spending.<br />

The UK Government takes<br />

the issue of consumer <strong>IoT</strong><br />

security very seriously. We recognise the<br />

urgent need to move the expectation<br />

away from consumers securing their<br />

own devices <strong>and</strong> instead ensure that<br />

strong cyber security is built into these<br />

products by design.”<br />

“A recent survey of 6,482 consumers<br />

has shown that when purchasing a<br />

new consumer <strong>IoT</strong> product, ‘security’<br />

is the third most important information<br />

category (higher than privacy or design)<br />

<strong>and</strong> among those who didn’t rank<br />

‘security’ as a top-four consideration,<br />

72% said that they expected security to<br />

already be built into devices that were<br />

already on the market”<br />

Source: Consultation on the Government’s regulatory proposals<br />

regarding consumer Internet of Things (<strong>IoT</strong>) security, May 2019<br />

Best Practice Guides<br />

In October 2018, the UK Government Department<br />

for Digital, Culture, Media & Sport (DCMS) published<br />

the Code of Practice for Consumer <strong>IoT</strong> <strong>Security</strong>.<br />

These guidelines are aimed at everyone involved in the<br />

development, manufacture, service provision <strong>and</strong> retail of<br />

consumer <strong>IoT</strong> devices <strong>and</strong> services to ensure that they are<br />

‘secure by design’.<br />

The code considers consumers to be all end-users of <strong>IoT</strong><br />

products <strong>and</strong> services. Products include children’s toys,<br />

smart cameras <strong>and</strong> TVs, wearable health trackers, home<br />

automation <strong>and</strong> safety products such as smoke detectors<br />

<strong>and</strong> burglar alarms.<br />

While focused on products <strong>and</strong> services typically used in<br />

the home, the general principles are applicable to those<br />

used in commercial <strong>and</strong> industrial environments.<br />

The Code includes a prioritised list of 13 good practice<br />

<strong>IoT</strong> security guidelines:<br />

1 No default passwords<br />

All <strong>IoT</strong> device passwords shall be unique <strong>and</strong> not<br />

resettable to any universal factory default value<br />

2 Implement a vulnerability disclosure policy<br />

All companies that provide internet-connected<br />

devices <strong>and</strong> services shall provide a public point of<br />

contact as part of a vulnerability disclosure policy in<br />

order that security researchers <strong>and</strong> others are able<br />

to report issues. Disclosed vulnerabilities should be<br />

acted on in a timely manner.<br />

3 Keep software updated<br />

Software components in internet-connected devices<br />

should be securely updateable. Updates shall be<br />

timely <strong>and</strong> should not impact on the functioning of<br />

the device. An end-of-life policy shall be published<br />

for end-point devices which explicitly states the<br />

minimum length of time for which a device will<br />

receive software updates <strong>and</strong> the reasons for the<br />

length of the support period. The need for each<br />

update should be made clear to consumers <strong>and</strong> an<br />

update should be easy to implement. For constrained<br />

devices that cannot physically be updated, the<br />

product should be isolatable <strong>and</strong> replaceable.<br />

4 Securely store credentials <strong>and</strong> security-sensitive data<br />

Any credentials shall be stored securely within services<br />

<strong>and</strong> on devices. Hard-coded credentials in device<br />

software are not acceptable.<br />

5 Communicate securely<br />

<strong>Security</strong>-sensitive data, including any remote<br />

management <strong>and</strong> control, should be encrypted in<br />

transit, appropriate to the properties of the technology<br />

<strong>and</strong> usage. All keys should be managed securely.<br />

6 Minimise exposed attack surfaces<br />

All devices <strong>and</strong> services should operate on the<br />

‘principle of least privilege’; unused ports should be<br />


closed, hardware should not unnecessarily expose<br />

access, services should not be available if they are not<br />

used <strong>and</strong> code should be minimised to the<br />

functionality necessary for the service to operate.<br />

Software should run with appropriate privileges, taking<br />

account of both security <strong>and</strong> functionality.<br />

7 Ensure software integrity<br />

Software on <strong>IoT</strong> devices should be verified using<br />

secure boot mechanisms. If an unauthorised change<br />

is detected, the device should alert the consumer/<br />

administrator to an issue <strong>and</strong> should not connect<br />

to wider networks than those necessary to perform<br />

the alerting function.<br />

8 Ensure that personal data is protected<br />

Where devices <strong>and</strong>/or services process personal<br />

data, they shall do so in accordance with applicable<br />

data protection law, such as the General Data<br />

Protection Regulation (GDPR) <strong>and</strong> the Data Protection<br />

Act 2018. Device manufacturers <strong>and</strong> <strong>IoT</strong> service<br />

providers shall provide consumers with clear <strong>and</strong><br />

transparent information about how their data is being<br />

used, by whom, <strong>and</strong> for what purposes, for each<br />

device <strong>and</strong> service. This also applies to any third<br />

parties that may be involved (including advertisers).<br />

Where personal data is processed on the basis of<br />

consumers’ consent, this shall be validly <strong>and</strong> lawfully<br />

obtained, with those consumers being given the<br />

opportunity to withdraw it at any time.<br />

9 Make systems resilient to outages<br />

Resilience should be built in to <strong>IoT</strong> devices <strong>and</strong><br />

services where required by their usage or by other<br />

relying systems, taking into account the possibility of<br />

outages of data networks <strong>and</strong> power. As far as<br />

reasonably possible, <strong>IoT</strong> services should remain<br />

operating <strong>and</strong> locally functional in the case of a loss<br />

of network <strong>and</strong> should recover cleanly in the case of<br />

restoration of a loss of power. Devices should be able<br />

to return to a network in a sensible state <strong>and</strong> in an<br />

orderly fashion, rather than in a massive scale<br />

reconnect.<br />

10 Monitor system telemetry data<br />

If telemetry data is collected from <strong>IoT</strong> devices <strong>and</strong><br />

services, such as usage <strong>and</strong> measurement data, it<br />

should be monitored for security anomalies.<br />

11 Make it easy for consumers to delete personal data<br />

Devices <strong>and</strong> services should be configured such that<br />

personal data can easily be removed from them when<br />

there is a transfer of ownership, when the consumer<br />

wishes to delete it <strong>and</strong>/or when the consumer wishes<br />

to dispose of the device. Consumers should be given<br />

clear instructions on how to delete their personal data.<br />

12 Make installation <strong>and</strong> maintenance of devices easy<br />

Installation <strong>and</strong> maintenance of <strong>IoT</strong> devices should<br />

employ minimal steps <strong>and</strong> should follow security best<br />

practice on usability. Consumers should also be<br />

provided with guidance on how to securely set up<br />

their device.<br />

13. Validate input data<br />

Data input via user interfaces <strong>and</strong> transferred via<br />

application programming interfaces (APIs) or<br />

between networks in services <strong>and</strong> devices shall<br />

be validated.<br />

Reproduced from Code of Practice for Consumer <strong>IoT</strong> <strong>Security</strong>.<br />

Please read the Code for more information on each of the above<br />

guidelines. The Department for Digital, Culture, Media <strong>and</strong> Sport will<br />

periodically review the Code <strong>and</strong> publish updates, at least every two years.<br />

Please visit https://www.gov.uk/government/collections/secure-by-design<br />

to be kept informed.<br />


The future for <strong>IoT</strong> device security<br />

As <strong>IoT</strong> solutions evolve, so do the threats against them.<br />

In the short-term companies, can ensure that they get<br />

the basics of <strong>IoT</strong> cyber security correct. In the long-term,<br />

to ensure companies maintain cyber security, foresighting<br />

is required to identify new <strong>and</strong> emerging threats <strong>and</strong><br />

develop methods to mitigate against these. This is being<br />

supported by governments, academic institutions, trade<br />

bodies <strong>and</strong> commercial organisations.<br />

In addition to the published Code of Practice for<br />

Consumer <strong>IoT</strong> <strong>Security</strong>, several other industry <strong>and</strong><br />

government organisations have published their own<br />

<strong>IoT</strong> security recommendations <strong>and</strong> guides. These<br />

guides serve to support the design, manufacturing <strong>and</strong><br />

procurement processes of <strong>IoT</strong> components <strong>and</strong> systems.<br />

While the majority of guides focus on the security of<br />

software <strong>and</strong> communications, physical security for <strong>IoT</strong><br />

hardware is also of importance <strong>and</strong> covered in more<br />

detail in articles such as <strong>IoT</strong>SF’s physical security article.<br />

Further sources for guides:<br />

• National <strong>Cyber</strong> <strong>Security</strong> Centre (NCSC)<br />

www.ncsc.gov.uk<br />

• Internet of Things <strong>Security</strong> Foundation (<strong>IoT</strong>SF)<br />

www.iotsecurityfoundation.org<br />

• EU Agency for <strong>Cyber</strong>security (formerly the<br />

European Union Agency for Network <strong>and</strong> Information<br />

<strong>Security</strong> - ENISA) www.enisa.europa.eu<br />

• GSM Association (GSMA) www.gsma.com<br />

• The National Institute of St<strong>and</strong>ards <strong>and</strong><br />

Technology (NIST) www.nist.gov<br />

• OWASP Foundation www.owasp.org<br />

<strong>IoT</strong>-focused labelling, st<strong>and</strong>ards <strong>and</strong><br />

legislation<br />

It is not enough to merely encourage the adoption of best<br />

practice in the design of new products or services; industry<br />

should also adopt common labelling that clearly shows<br />

consumers that best practice has been followed. Not only<br />

would this provide comfort <strong>and</strong> peace of mind to buyers;<br />

it helps a manufacturer or service provider to st<strong>and</strong> out<br />

from the competition <strong>and</strong> enhances their reputation as a<br />

cyber security-focused company.<br />

In a recent research paper by Harris Interactive, 73% of<br />

people interviewed felt it is important or very important<br />

to introduce labels that highlight the security features on<br />

consumer <strong>IoT</strong> devices. Respondents also said that they<br />

would pay up to 10% more for the product.<br />

In May 2019, the UK Government launched a consultation<br />

on its regulatory proposals for consumer <strong>IoT</strong> security,<br />

stating its ambition for the first three points of its Code of<br />

Practice for Consumer <strong>IoT</strong> <strong>Security</strong> launched in October<br />

2018 to become m<strong>and</strong>atory. These are:<br />

1 All <strong>IoT</strong> device passwords shall be unique <strong>and</strong> shall not<br />

be resettable to any universal factory default value<br />

2 The manufacturer shall provide a public point of<br />

contact as part of a vulnerability disclosure policy<br />

in order that security researchers <strong>and</strong> others are able<br />

to report issues<br />

3 Manufacturers will explicitly state the minimum<br />

length of time for which the product will receive<br />

security updates.<br />

The consultation explored various options for the m<strong>and</strong>atory<br />

labelling of <strong>IoT</strong> devices. It is expected that security labelling<br />

will initially be introduced on a voluntary basis.<br />

Proposed labels:<br />

Positive<br />

Essential security<br />

features included<br />

DEC<br />

2021<br />

<strong>Security</strong> updates<br />

until at least Dec 2021<br />

Essential security<br />

features NOT included<br />

Negative<br />

<strong>Security</strong> updates<br />

NOT provided<br />

Source: https://www.gov.uk/government/consultations/consultationon-regulatory-proposals-on-consumer-iot-security/consultation-onthe-governments-regulatory-proposals-regarding-consumer-internetof-things-iot-security<br />

Building on the 2018 UK Code of Practice, the European<br />

Telecommunications St<strong>and</strong>ards Institute (ETSI) released the<br />

world’s first st<strong>and</strong>ard (ETSI TS 103 645) for consumer <strong>IoT</strong><br />

security in February 2019. Designed with worldwide needs<br />

in mind, its purpose is to create a baseline for <strong>IoT</strong> security,<br />

<strong>and</strong> will be used as the baseline for future <strong>IoT</strong> certification<br />

schemes.<br />

Other activities specifically focused on certification <strong>and</strong><br />

labelling include the British St<strong>and</strong>ards Institute (BSI)<br />

Kitemark TM for <strong>IoT</strong> devices, launched in 2018. Used for<br />

over 100 years, the Kitemark is a well-recognised logo,<br />

that indicates quality <strong>and</strong> safety in British products. Three<br />

different Kitemarks for <strong>IoT</strong> devices exist; residential,<br />

commercial <strong>and</strong> enhanced for residential or commercial<br />

products used in high risk or high value applications.<br />

Unlike the proposed UK regulation, the BSI <strong>IoT</strong><br />

assessment is not self-certification based, it requires:<br />

• The <strong>IoT</strong> developer to hold compliance to the<br />

ISO 9001 quality st<strong>and</strong>ards.<br />

• Pass <strong>IoT</strong> product tests for functionality, interoperability<br />

<strong>and</strong> security.<br />

• Perform regular monitoring assessments of their<br />

labelled products.<br />


EU <strong>and</strong> US cyber security legislation<br />

The new EU <strong>Cyber</strong> <strong>Security</strong> Act will come into force<br />

providing ENISA, the European Union Agency for<br />

<strong>Cyber</strong>security, an ongoing m<strong>and</strong>ate to help the EU achieve<br />

a common, high-level of cyber security across all member<br />

states through better communication <strong>and</strong> collaboration.<br />

ENISA’s remit includes the creation of a common European<br />

cyber security certification framework for information <strong>and</strong><br />

communications technology (ICT) products, processes<br />

<strong>and</strong> services, including <strong>IoT</strong>. This will work alongside<br />

other regulation <strong>and</strong> EU directives, including General<br />

Data Protection Regulation (GDPR) <strong>and</strong> Network <strong>and</strong><br />

Information <strong>Security</strong> Directive (NIS Directive), which,<br />

respectively, focus on personal information security <strong>and</strong><br />

overall security <strong>and</strong> resilience of networks <strong>and</strong> information<br />

systems in critical sectors.<br />

Other regulation activities in <strong>IoT</strong>-related cyber security<br />

elsewhere in the world include the approval of the<br />

Californian <strong>Security</strong> of Connected Devices bill in USA.<br />

The 2018 bill aims are:<br />

“This bill, beginning on January 1, 2020, would require a<br />

manufacturer of a connected device, as those terms are<br />

defined, to equip the device with a reasonable security<br />

feature or features that are appropriate to the nature <strong>and</strong><br />

function of the device, appropriate to the information it<br />

may collect, contain, or transmit, <strong>and</strong> designed to protect<br />

the device <strong>and</strong> any information contained therein from<br />

unauthorized access, destruction, use, modification, or<br />

disclosure, as specified.”<br />

In March 2019 the US Senate reintroduced the <strong>IoT</strong><br />

<strong>Cyber</strong>security Improvement Act. The purpose of the act is<br />

similar to the activities in the UK in developing a baseline<br />

of cyber security requirements for <strong>IoT</strong> devices. To support<br />

this, the American National Institute of St<strong>and</strong>ards <strong>and</strong><br />

Technology (NIST) will issue recommendations addressing,<br />

at a minimum, secure development, identity management,<br />

patching, <strong>and</strong> configuration management for <strong>IoT</strong> devices.<br />

This legislation is likely to affect Scottish companies<br />

looking to export <strong>IoT</strong> devices <strong>and</strong> provide <strong>IoT</strong> services into<br />

the EU <strong>and</strong> the US.<br />

Summary<br />

This document has introduced <strong>IoT</strong> cyber security <strong>and</strong><br />

the importance of the ‘secure by design’ principle, to<br />

protect end users of <strong>IoT</strong> products <strong>and</strong> services. While the<br />

effect of a hack on a single vulnerable <strong>IoT</strong> device may not<br />

seem of concern, its interconnection to other systems<br />

could result in a greater impact, whether it be data<br />

theft or incapacitating the operation of a company.<br />

A collective effort in following best practice will help to<br />

ensure that <strong>IoT</strong> users will reap the benefits without being<br />

exposed to unnecessary cyber security-related risks.<br />

To support this effort, CENSIS has been commissioned by the<br />

Scottish Government <strong>and</strong> Scottish Enterprise to run an <strong>IoT</strong><br />

cyber security programme over 2019/2020. The programme<br />

of activity will include a series of workshops, an accelerator<br />

programme <strong>and</strong> a themed hackathon to support innovation<br />

<strong>and</strong> economic development in <strong>IoT</strong> cyber security.<br />


Finding <strong>IoT</strong> expertise<br />

If you have an idea for a product or service that could bring<br />

value to your business <strong>and</strong> your customers, there are a<br />

number of organisations who could support your plans.<br />

If you contact CENSIS in the first instance, we can signpost<br />

you to a suitable organisation for your needs, or we may be<br />

able to provide advice, technical support <strong>and</strong> the resources<br />

you need to create a full solution.<br />

At CENSIS we see most <strong>IoT</strong> projects starting off as small-scale<br />

pilots to test the functionality with off-the-shelf components<br />

or modular electronics. This allows users to explore what<br />

information is useful to gather <strong>and</strong> if the system will be<br />

suitable for their requirements. A smaller pilot also allows all<br />

the stakeholders to test, play, <strong>and</strong> underst<strong>and</strong> the potential<br />

impact of a larger scale rollout.<br />

censis.org.uk<br />

Your first prototype<br />

Joining the <strong>IoT</strong> community<br />

in Scotl<strong>and</strong><br />

There are many organisations setting out on their <strong>IoT</strong> journey<br />

<strong>and</strong> finding value in sharing thoughts <strong>and</strong> challenges.<br />

With our experience across a huge range of market sectors<br />

<strong>and</strong> our knowledge of enabling technologies, CENSIS has<br />

strong relationships with Scottish companies, public sector<br />

organisations, university research groups <strong>and</strong> hardware <strong>and</strong><br />

software suppliers.<br />

As part of our CENSIS community, you can join in with<br />

our regular <strong>IoT</strong> meetups to discuss ideas with like-minded<br />

people, take part in one of our h<strong>and</strong>s-on technical<br />

workshops or come along to one of our Future Tech events<br />

to solve market sector problems in an open forum.<br />

The highlight of our year is the annual CENSIS Technology<br />

Summit <strong>and</strong> Conference, where we hear from challenge<br />

providers, meet exhibitors who are showcasing new<br />

technologies, <strong>and</strong> network <strong>and</strong> connect with the sensors,<br />

imaging <strong>and</strong> <strong>IoT</strong> community.<br />

There are many ‘out of the box’, turnkey solutions that you<br />

can buy off the shelf to let you create a first prototype <strong>and</strong><br />

test your <strong>IoT</strong> solution.<br />

CENSIS has created a flexible <strong>IoT</strong> development kit that can<br />

help you get up <strong>and</strong> running with <strong>IoT</strong> quickly <strong>and</strong> without<br />

the need for deep technical knowledge. This has a range of<br />

popular sensors, communication <strong>and</strong> power options <strong>and</strong> is<br />

flexible to allow the user to measure <strong>and</strong> send data easily.<br />

It allows users to explore <strong>IoT</strong> concepts without having to<br />

code or configure networks themselves.<br />

Join our<br />

community at<br />

censis.org.uk<br />


Glossary<br />

Please note that details of sources mentioned in this document may be found in the online version available at: censis.org.uk/brochures<br />


Adware<br />

Application Programming Interfaces (APIs)<br />

Attack surface<br />

Backdoor<br />

Boot mechanism<br />

Bots<br />

Cloud system<br />

Cryptominers<br />

DDoS<br />

Dashboard<br />

Firmware<br />

Hacking/Hacker<br />

Industrial Internet of Things (I<strong>IoT</strong>)<br />

Keyloggers<br />

Machine to machine communication (M2)<br />

Malware<br />

Port<br />

Ransomware<br />

Rootkit<br />

Routers<br />

SCADA<br />

Secure by design<br />

Spyware<br />

Trojan<br />

Viruses<br />

Voice over Internet Protocol (VOIP)<br />

Worms<br />

Unwanted software designed to display advertisements<br />

The specification <strong>and</strong> software implementation enabling programs to communicate<br />

The total of the vulnerabilities of a device or system<br />

A method for bypassing security providing access to an <strong>IoT</strong> device or system<br />

The process by which a device starts-up before use<br />

Software that performs an automated task<br />

Shared computer data centre providing services, such as data storage<br />

Software designed to generate money through complex mathematical calculation<br />

Distributed denial-of-service, an attack with the aim of incapacitating a system preventing it servicing genuine users<br />

Also known as a User Interface or UI, this allows a person to interact with the computer system,<br />

e.g., a computer screen, tablet, mobile phone.<br />

Software controlling the low-level functionality of hardware<br />

Breaking into electronic systems (often the term ‘cracker’ is used instead to indicate a hacker with malicious intent)<br />

<strong>IoT</strong> used in manufacturing <strong>and</strong> industrial processes<br />

Software or hardware designed to monitor <strong>and</strong> collect key-presses by a user<br />

Machine to machine connected devices exchanging information with other connected devices, without<br />

human intervention.<br />

Software designed with an intended malicious purpose<br />

A physical or virtual interface on a device for connecting to an external device(s)<br />

Malware designed to perform an action with intent of extorting a ransom<br />

Malware designed to provide covert external access to an electronic system<br />

A device that directs computer/<strong>IoT</strong> network traffic<br />

Supervisory control <strong>and</strong> data acquisition system<br />

Designing a product, service or process with security in mind from development stage<br />

A malware program designed to covertly gather information without consent<br />

A malware program that looks legitimate but hides its malicious purpose<br />

A malware program designed to spread to other electronic systems by replicating <strong>and</strong> attaching itself to<br />

other computer programs<br />

Technology to able voice <strong>and</strong> video calls over the internet<br />

An independent malware program designed to spread to other electronic systems by replicating itself<br />


CENSIS is the centre of excellence for sensor <strong>and</strong> imaging<br />

systems (SIS) <strong>and</strong> Internet of Things (<strong>IoT</strong>) technologies.<br />

We help organisations of all sizes explore innovation<br />

<strong>and</strong> overcome technology barriers to achieve business<br />

transformation.<br />

As one of Scotl<strong>and</strong>’s Innovation Centres, our focus is not<br />

only creating sustainable economic value in the Scottish<br />

economy, but also generating social benefit. Our industryexperienced<br />

engineering <strong>and</strong> project management teams<br />

work with companies or in collaborative teams with university<br />

research experts.<br />

We act as independent trusted advisers, allowing<br />

organisations to implement quality, efficiency <strong>and</strong><br />

performance improvements <strong>and</strong> fast-track the development<br />

of new products <strong>and</strong> services for global markets.<br />

Contact details:<br />

CENSIS<br />

The Inovo Building<br />

121 George Street<br />

Glasgow<br />

G1 1RD<br />

Tel: 0141 330 3876<br />

Email: info @censis.org.uk<br />


Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!