Cyber Security and IoT

Cyber 

Security 

and IoT 

Explaining why IoT (Internet of Things) 

devices must be secure by design 

censis.org.uk

Cyber security threats associated 

with Internet of Things (IoT) 

devices are evolving rapidly, 

keeping pace with the increased 

levels of IoT adoption across 

a range of end markets and 

application areas. 

1

Integrating 

cyber security 

While IoT devices offer transformational benefits to organisations and individuals, 

they require designers and manufacturers to be hyper-aware of the need to create 

solutions with cyber security and privacy in mind. 

It is essential to integrate security features during the design stages of IoT products 

and services, making them ‘secure by design’ and without impacting their 

functionality. 

This document is part of a Scottish Government-funded programme to demonstrate 

the transformative potential of IoT across some of Scotland’s key growth industries. 

It is intended as an introduction to IoT cyber security best practice to mitigate risks 

and provides links to additional sources of information. 

Whether you are in the development, manufacture, supply or procurement of IoT 

devices and services, this document provides what you need to know. 

www.censis.org.uk 

Contents 

Internet of Things (IoT) in context 3 

Cyber security overview 3 

Cyber security vulnerabilities and risks 5 

Common attack methods 7 

IoT cyber security best practice and legislation 9 

The future for IoT device security 11 

Glossary 14 

Text with an explanation in the Glossary on P14 is underlined the first time it is used. 

If you are reading the printed version of this brochure, you can download a hyperlinked pdf at censis.org.uk/brochures 

The information in this brochure is correct at time of writing. September 2019. 

2

Cyber security overview 

Q What is cyber security 

Cyber security is essential in preventing harm to the 

integrity of the electronic devices and services that 

people and organisations use daily, as well as ensuring 

the confidentiality of the data stored and transmitted. 

Some of these devices and services form the 

basis of our critical national infrastructure, such as 

emergency services, communications, transport, defence 

and utilities. 

Cyber security involves the use of processes, technologies 

and controls for the protection of devices, systems, 

networks and data from cyber attacks and the ability to 

recover from these attacks. 

Cyber security good practice 

Processes, 

technologies 

and 

controls 

Are 

applied to 

Devices, 

systems, 

networks 

and data 

Resulting 

in 

Protection from 

cyber attacks 

Ability to 

recover from 

attacks 

Internet of Things (IoT) in context 

Q What exactly does ‘Internet of Things’ mean? 

A To simplify the vast amount of chat and hype around 

IoT, think of it in its broadest sense as: ‘a system of 

things using the internet or private network to 

connect and communicate with each other’. 

Q What ‘things’? 

A We say ‘things’ but really mean ‘devices’ that are 

connected via the internet to each other. Your phone 

is probably such a device. Some watches are 

internet-enabled. Often, you’ll hear ‘smart’ added to 

the front of something to describe that it can 

connect to the internet and chat to other devices, 

e.g., smartphone, smartwatch, smart lighting. In an 

IoT network, each device has a unique identifier 

and can transfer and/or receive data over a network 

connection. 

Q But this is nothing new, haven’t devices been 

connecting to the internet for years? 

A Yes, they have. But technology has advanced so 

much in recent times that we now have 

the capability to connect many more 

low cost, small, battery operated devices 

to the internet. If we install a sensor on 

such a device, the sensor can gather data, 

then send the information over the 

internet. This combined with the rise 

of low-cost cloud computing is enabling 

a vast amount of new opportunities. 

For further information, read: 

CENSIS ‘Getting started with IoT’ 

https://www.censis.org.uk/brochures 

3

Q How is IoT cyber security different 

to IT cyber security? 

The main difference is that IoT devices are more connected 

to the physical world. There is also a greater number 

and wider range of types of IoT devices than IT devices. 

The environments that IoT devices operate in are more 

diverse than traditional IT systems and could include 

being in remote areas, exposed to extreme weather or in a 

situation in which they are vulnerable to tampering. 

IoT devices are also procured, used or managed by a 

wider range of people and are less likely to be maintained 

and updated with the latest software when compared to 

IT devices. While machine-to-machine communications 

and attacks have been around for decades, IoT is a 

relatively new term, and the most high-profile cyber 

attacks have occurred in the last 10 years. 

Q Why do intentional IoT cyber 

attacks take place? 

Intentional attacks on IoT devices occur for several 

reasons, such as: 

• Financial gain – a primary motivation for attacks is 

either stealing information to sell or holding it for 

extortion or ransom. 

• Preventing or limiting ability to operate - possibly 

motivated by revenge, differing beliefs, terrorism, 

activism or an attempt to damage competitors 

financially or reputationally. These could be attacks to 

temporarily disrupt services or actions which could 

lead to permanent physical damage to devices or 

result in injury to users. 

• Curiosity and challenge - while some attacks may be 

financially motivated, others are driven by an interest 

in technology, the challenge presented and the ability 

to brag and boast about hacking activities. 

Q Who commits cyber attacks? 

There is no one profile of individual or organisation that 

performs IoT attacks. They range from hackers working 

alone or in small groups through to organised criminal 

gangs and even nation states engaged in wider espionage 

activity and/or cyber warfare. 

Q How big a problem is an IoT 

cyber attack? 

We live in an increasingly hyper-connected world. 

The introduction of IoT devices significantly increases 

the surface of connected devices visible to be attacked 

and thus the exposure to risk. IoT is therefore a potential 

route into or to disrupt wider systems, applications and 

networks, if not adequately protected. 

The forecasts for the number of IoT devices varies but the 

research organisation Gartner predicts that there will be 

25 billion IoT devices by 2021. Bain & Company survey 

reported that in 2018, 45% of IoT buyers in companies 

cited security concerns as a factor limiting adoption. 

These figures offer an indication of the size of the 

challenge for both IoT developers and end users. 

According to research by Dutch software firm Irdeto, 

the financial risk to the UK from cyber attacks targeting 

IoT devices could be approximately £1 billion annually, 

a figure based on the current average cost per UK 

business each year of £244,000. 

Attacks tend 

not to be 

personal or specifically 

targeted, it’s more often 

the case that individuals 

or organisations have 

known IoT vulnerabilities, 

making them easy targets 

to attack 

4

Cyber security vulnerabilities and risks 

Technology evolution has led to the emergence of lowpower 

IoT devices with high processing performance, 

large internal data storage capacity and wireless 

communications interconnectivity. The ability to integrate 

small low-cost sensors into these devices has led to a 

greater range of embedded and wearable products and 

associated services. The inclusion of microphones and 

cameras in IoT products has also raised concerns over 

privacy, both in the workplace and in the home. 

To increase the level of trust in the use of IoT devices and 

services, reduce exposure to risk and drive greater adoption, 

developers and manufacturers must be aware of the 

potential vulnerabilities and ensure that these are reduced 

or removed. 

Vulnerabilities 

IoT-based systems become vulnerable in several ways: 

• Unsecure devices that are not password protected, or 

that use simple, easy to break passwords that are not fit 

for purpose 

• Poor design, manufacturing and test processes 

• Lack of IoT technical knowledge in companies 

procuring solutions 

• Unmaintained devices with firmware which has not 

been kept up to date 

• Poor device integration and configuration with other 

electronic systems 

• Undefined responsibility for IoT systems management 

and maintenance 

• Unused devices left connected to networks 

• Unknown, forgotten, hidden - but exploitable - devices 

network - these were devices like security cameras or 

uninterruptable power supplies. Many were not registered 

with the IT department and did not meet security 

standards, making them vulnerable to attack. 

The potential consequences in this case were very 

worrying - the theft of personal medical data or an 

attack on the systems that provide power to life-critical 

machines in the event of a main power failure. 

Good practice after identifying 

vulnerability 

It is good practice for organisations to develop and 

publish a coordinated vulnerability disclosure (CVD) 

process. A CVD process is the gathering of information 

from whoever has found and legally reported a device 

or service vulnerability, managing the distribution of the 

information to stakeholders and disclosing the existence 

and solutions to the stakeholders, often including the 

public. It is generally expected that the reporting party will 

not publicly share any knowledge of the vulnerability until 

the process has been followed and ideally a solution or 

mitigation is found. 

These issues create particular challenges for smaller 

or highly distributed organisations who may not have a 

full-time member of staff responsible for cyber security. 

It might fall to an IT or operations member of staff as only 

part of their job. 

Even in larger organisations with dedicated cyber security 

staff, the sheer number of devices an organisation 

handles can still create a challenge. This was highlighted 

in a BBC interview with the Chief Information Security 

Officer (CISO) for the largest health provider in New 

Jersey, USA. The CISO was responsible for 13 hospitals 

containing 30,000 computers, 300 apps, a data centre 

and company mobile phones. During an IoT audit he 

discovered 70,000 IoT devices accessing the company’s 

5

Current IoT risk areas 

• The Global Risks Report 2019 by the World Economic 

Forum lists ‘Large-scale cyber-attacks’ and ‘Massive 

incident of data fraud or theft’ as two of the top five 

global risks in terms of likelihood during the next 

10 years. 

• The Economist Intelligence Unit’s (EIU) Top 10 

Global Risks includes cyber-attacks and data integrity 

concerns crippling large parts of the internet. 

• Cambridge Global Risk Index 2019, a quantification 

of the potential GDP impact, notes that cyber-attack 

is the sixth highest financial risk ($39.7 Billion) after a 

human pandemic and flooding. 

• Security solutions company, Fortinet, reported in their 

2018 4th Quarter Threat Landscape report that half 

of the top 12 security exploits reported to their 

company related to IoT devices. 

• The digital information security company Gemalto 

disclosed that only 48% of businesses can detect if 

any of their IoT devices have suffered a security breach. 

• ENISA Threat Landscape Report 2018 reports an 

increasing number of attacks on Industrial Internet of 

Things (IIoT) devices in utilities, oil and natural gas and 

manufacturing sectors. 

• F-Secure, a cyber security company with a 

global presence, reported that the number of IoT 

threats doubled in 2018, from 19 to 38 within a 

12-month period. 

Smart 

televisions 

Thermostats 

Digital video 

recorders/ 

network video 

recorders 

Voice over 

IP (VOIP) 

telephones 

Networked 

cameras 

Popular 

IoT 

targets 

Network 

routers and 

access points 

Mobile 

smartphones 

Network 

attached 

storage 

Printers 

6

Common attack methods 

Attacks on IoT devices are typically achieved in one of seven different ways, or by using a combination of the seven. 

Exploits 

Poor system 

configuration 

Distributed Denialof-Service 

(DDoS) 

IoT attack 

methods 

Cloud system and 

data centre attacks 

Man in middle attacks 

Malware 

Physical 

Physical attacks 

An IoT device can be compromised 

if physical access can be gained to 

external interfaces, such as USB ports 

or test ports used in the manufacture, 

maintenance or test of an IoT device. 

Considered to be one of the earliest 

cyber hacking tools designed to 

cause physical damage to networked 

equipment, Stuxnet was a malicious 

computer worm aimed at industrial 

control systems. It is believed to 

have damaged Iranian uranium 

enriching centrifuges in 2010 after 

it was introduced to the 

organisation’s network via a USB 

stick. The organisation’s network was 

not connected to the internet. 

Exploits 

Known vulnerabilities in an IoT 

device’s hardware, embedded 

software and operating system can 

be exploited to gain access. These 

vulnerabilities can range from poor 

processing or formatting of data to 

an insecure method for updating 

the IoT device’s firmware and poor 

memory management. 

In 2017 the US Food and Drug 

Administration (FDA) recalled 465,000 

radio-controlled implantable cardiac 

pacemakers due to identified cyber 

security vulnerabilities; there were 

concerns that hackers could control 

the implanted devices. A firmware 

update was issued to address the 

vulnerabilities, allowing patients 

whose devices were already fitted to 

be updated and secured on the next 

visit to their physician. 

Poor system configuration 

One of the simplest methods of 

compromising an IoT device is by using 

common, hardcoded, easily guessable 

or weak passwords. Poor configurations 

of an IoT device may also provide a 

simple avenue to attack, for example 

leaving a communications port open or 

a backdoor login for test purposes. 

In 2018 there were reports of an 

audacious cyber attack saw a US casino 

suffer a significant theft of data when its 

IT networked systems were breached 

via an IoT smart fish tank controller. 

The poor configuration of the casino’s 

network between the IoT and IT 

systems led to 10 gigabytes of company 

data being transferred to Finland before 

the hack was identified and stopped. 

7

Malware 

Malware is software designed to 

infiltrate and damage, control or 

disable electronics systems, including 

IoT devices. This can come in many 

forms including viruses, worms, 

trojans, ransomware, rootkit, spyware, 

adware and keyloggers. Malware can 

be used to form collectives of ‘bots’ 

(Botnets) for performing automated 

malicious attacks (see sub-section 

below). According to cyber security 

solutions company McAfee, in the 

last year there has been a rise of 

203% in IoT malware in the form of 

‘cryptominers’ that hijack devices 

for mining cryptocurrency which 

is currently seen as a more lucrative 

business than ransomware. 

In December 2015, a regional 

electricity distribution company in 

Ukraine was attacked. The SCADA 

system controlling, and monitoring 

power distribution was targeted, 

enabling the attacker to switch off 

several substations. To obtain initial 

access to the company systems, 

malware was delivered by email. Two 

additional power companies were 

also attacked resulting in 225,000 

customers losing power for several 

hours. 

DDoS 

Distributed Denial-of- 

Service (DDoS) 

DDoS involves an attacker gaining 

access into a large number of 

distributed IoT devices. When access 

has been obtained, the attacker gains 

control of the devices (usually by 

installing malware), turning each of 

the devices into what is called a ‘Bot’ 

or Zombie. The attacker can then 

instruct a group of ‘Bots’ to act as a 

‘Botnet’ to send requests to target 

internet addresses, such as cloud 

service providers. The significant 

amount of internet traffic generated 

reduces the capacity or prevents 

the target from servicing other valid 

users. This can also stop each of 

the IoT ‘Bot’ devices functioning as 

originally intended. 

An example of this is the 2016 Mirai 

Botnet. Several high-profile attacks 

happened that year, including an attack 

on Dyn, an internet infrastructure 

company. The attack prevented users 

from accessing social media accounts 

and other popular websites in the US 

and Europe. Mirai was one of the first 

pieces of software to enable largescale 

DDoS attacks. Mirai scans internet 

addresses to find devices, e.g., digital 

video recorders and CCTV cameras, 

with unsafe, easy to guess, default 

usernames and passwords; then it logsin 

and configures the devices to send 

data to an online target. With enough of 

these devices or ‘bots’ sending data, the 

online target is overloaded with requests 

from ‘bots’ and is unable to accept 

requests from legitimate users. More 

than 100,000 devices were thought 

to have been targeted, taken over, and 

used in this attack. 

Man-in-middle attacks 

This describes where someone 

intercepts communications between 

IoT devices and/or other Internetconnected 

systems. The attacker 

poses as the original sender of the 

data. This allows eavesdropping and 

the ability to send data to and receive 

data from the IoT devices undetected, 

enabling manipulation of the IoT 

devices and connected systems. 

Cloud system and data 

centre attacks 

Cloud system and data centre attacks 

can be performed in several ways 

by targeting parts of the system 

architecture. This may include 

attacking the web server function 

used to provide IoT dashboards 

(displaying data from the IoT devices 

or providing centralised control of IoT 

devices), or attacking the database 

systems used to store gathered IoT 

data. As many IoT devices rely on a 

cloud system to function correctly, 

as part of the overall IoT solution, this 

may render the IoT incapacitated or 

severely limit the ability for the IoT 

devices to function. 

IoT attack 

surface 

IoT 

device 

Man-in-the-middle 

Comms. 

network 

infrastructure 

Man-in-the-middle 

Cloud providers 

Malware, exploits, poor system configuration and physical attack (Arrows show direction of attack/target) 

8

IoT cyber security best practice 

and legislation 

In order to drive greater adoption of IoT, the public 

needs to feel comfortable that the products and services 

they buy or use are not only fit for purpose in terms 

of functionality, but that they also protect them from 

potential cyber-related threats. 

To this end, the UK government has created a best 

practice guide for IoT cyber security for manufacturers of 

products and service providers. The objective of the Code 

of Practice for Consumer IoT Security is to reduce the 

challenge for individuals and organisations in making their 

own assessment of what is cyber secure. 

In the 2018 IDG Security Priorities Study 74% of 

business respondents stated that best practices determine 

their priority for security spending. 

The UK Government takes 

the issue of consumer IoT 

security very seriously. We recognise the 

urgent need to move the expectation 

away from consumers securing their 

own devices and instead ensure that 

strong cyber security is built into these 

products by design.” 

“A recent survey of 6,482 consumers 

has shown that when purchasing a 

new consumer IoT product, ‘security’ 

is the third most important information 

category (higher than privacy or design) 

and among those who didn’t rank 

‘security’ as a top-four consideration, 

72% said that they expected security to 

already be built into devices that were 

already on the market” 

Source: Consultation on the Government’s regulatory proposals 

regarding consumer Internet of Things (IoT) security, May 2019 

Best Practice Guides 

In October 2018, the UK Government Department 

for Digital, Culture, Media & Sport (DCMS) published 

the Code of Practice for Consumer IoT Security. 

These guidelines are aimed at everyone involved in the 

development, manufacture, service provision and retail of 

consumer IoT devices and services to ensure that they are 

‘secure by design’. 

The code considers consumers to be all end-users of IoT 

products and services. Products include children’s toys, 

smart cameras and TVs, wearable health trackers, home 

automation and safety products such as smoke detectors 

and burglar alarms. 

While focused on products and services typically used in 

the home, the general principles are applicable to those 

used in commercial and industrial environments. 

The Code includes a prioritised list of 13 good practice 

IoT security guidelines: 

1 No default passwords 

All IoT device passwords shall be unique and not 

resettable to any universal factory default value 

2 Implement a vulnerability disclosure policy 

All companies that provide internet-connected 

devices and services shall provide a public point of 

contact as part of a vulnerability disclosure policy in 

order that security researchers and others are able 

to report issues. Disclosed vulnerabilities should be 

acted on in a timely manner. 

3 Keep software updated 

Software components in internet-connected devices 

should be securely updateable. Updates shall be 

timely and should not impact on the functioning of 

the device. An end-of-life policy shall be published 

for end-point devices which explicitly states the 

minimum length of time for which a device will 

receive software updates and the reasons for the 

length of the support period. The need for each 

update should be made clear to consumers and an 

update should be easy to implement. For constrained 

devices that cannot physically be updated, the 

product should be isolatable and replaceable. 

4 Securely store credentials and security-sensitive data 

Any credentials shall be stored securely within services 

and on devices. Hard-coded credentials in device 

software are not acceptable. 

5 Communicate securely 

Security-sensitive data, including any remote 

management and control, should be encrypted in 

transit, appropriate to the properties of the technology 

and usage. All keys should be managed securely. 

6 Minimise exposed attack surfaces 

All devices and services should operate on the 

‘principle of least privilege’; unused ports should be 

9

closed, hardware should not unnecessarily expose 

access, services should not be available if they are not 

used and code should be minimised to the 

functionality necessary for the service to operate. 

Software should run with appropriate privileges, taking 

account of both security and functionality. 

7 Ensure software integrity 

Software on IoT devices should be verified using 

secure boot mechanisms. If an unauthorised change 

is detected, the device should alert the consumer/ 

administrator to an issue and should not connect 

to wider networks than those necessary to perform 

the alerting function. 

8 Ensure that personal data is protected 

Where devices and/or services process personal 

data, they shall do so in accordance with applicable 

data protection law, such as the General Data 

Protection Regulation (GDPR) and the Data Protection 

Act 2018. Device manufacturers and IoT service 

providers shall provide consumers with clear and 

transparent information about how their data is being 

used, by whom, and for what purposes, for each 

device and service. This also applies to any third 

parties that may be involved (including advertisers). 

Where personal data is processed on the basis of 

consumers’ consent, this shall be validly and lawfully 

obtained, with those consumers being given the 

opportunity to withdraw it at any time. 

9 Make systems resilient to outages 

Resilience should be built in to IoT devices and 

services where required by their usage or by other 

relying systems, taking into account the possibility of 

outages of data networks and power. As far as 

reasonably possible, IoT services should remain 

operating and locally functional in the case of a loss 

of network and should recover cleanly in the case of 

restoration of a loss of power. Devices should be able 

to return to a network in a sensible state and in an 

orderly fashion, rather than in a massive scale 

reconnect. 

10 Monitor system telemetry data 

If telemetry data is collected from IoT devices and 

services, such as usage and measurement data, it 

should be monitored for security anomalies. 

11 Make it easy for consumers to delete personal data 

Devices and services should be configured such that 

personal data can easily be removed from them when 

there is a transfer of ownership, when the consumer 

wishes to delete it and/or when the consumer wishes 

to dispose of the device. Consumers should be given 

clear instructions on how to delete their personal data. 

12 Make installation and maintenance of devices easy 

Installation and maintenance of IoT devices should 

employ minimal steps and should follow security best 

practice on usability. Consumers should also be 

provided with guidance on how to securely set up 

their device. 

13. Validate input data 

Data input via user interfaces and transferred via 

application programming interfaces (APIs) or 

between networks in services and devices shall 

be validated. 

Reproduced from Code of Practice for Consumer IoT Security. 

Please read the Code for more information on each of the above 

guidelines. The Department for Digital, Culture, Media and Sport will 

periodically review the Code and publish updates, at least every two years. 

Please visit https://www.gov.uk/government/collections/secure-by-design 

to be kept informed. 

10

The future for IoT device security 

As IoT solutions evolve, so do the threats against them. 

In the short-term companies, can ensure that they get 

the basics of IoT cyber security correct. In the long-term, 

to ensure companies maintain cyber security, foresighting 

is required to identify new and emerging threats and 

develop methods to mitigate against these. This is being 

supported by governments, academic institutions, trade 

bodies and commercial organisations. 

In addition to the published Code of Practice for 

Consumer IoT Security, several other industry and 

government organisations have published their own 

IoT security recommendations and guides. These 

guides serve to support the design, manufacturing and 

procurement processes of IoT components and systems. 

While the majority of guides focus on the security of 

software and communications, physical security for IoT 

hardware is also of importance and covered in more 

detail in articles such as IoTSF’s physical security article. 

Further sources for guides: 

• National Cyber Security Centre (NCSC) 

www.ncsc.gov.uk 

• Internet of Things Security Foundation (IoTSF) 

www.iotsecurityfoundation.org 

• EU Agency for Cybersecurity (formerly the 

European Union Agency for Network and Information 

Security - ENISA) www.enisa.europa.eu 

• GSM Association (GSMA) www.gsma.com 

• The National Institute of Standards and 

Technology (NIST) www.nist.gov 

• OWASP Foundation www.owasp.org 

IoT-focused labelling, standards and 

legislation 

It is not enough to merely encourage the adoption of best 

practice in the design of new products or services; industry 

should also adopt common labelling that clearly shows 

consumers that best practice has been followed. Not only 

would this provide comfort and peace of mind to buyers; 

it helps a manufacturer or service provider to stand out 

from the competition and enhances their reputation as a 

cyber security-focused company. 

In a recent research paper by Harris Interactive, 73% of 

people interviewed felt it is important or very important 

to introduce labels that highlight the security features on 

consumer IoT devices. Respondents also said that they 

would pay up to 10% more for the product. 

In May 2019, the UK Government launched a consultation 

on its regulatory proposals for consumer IoT security, 

stating its ambition for the first three points of its Code of 

Practice for Consumer IoT Security launched in October 

2018 to become mandatory. These are: 

1 All IoT device passwords shall be unique and shall not 

be resettable to any universal factory default value 

2 The manufacturer shall provide a public point of 

contact as part of a vulnerability disclosure policy 

in order that security researchers and others are able 

to report issues 

3 Manufacturers will explicitly state the minimum 

length of time for which the product will receive 

security updates. 

The consultation explored various options for the mandatory 

labelling of IoT devices. It is expected that security labelling 

will initially be introduced on a voluntary basis. 

Proposed labels: 

Positive 

Essential security 

features included 

DEC 

2021 

Security updates 

until at least Dec 2021 

Essential security 

features NOT included 

Negative 

Security updates 

NOT provided 

Source: https://www.gov.uk/government/consultations/consultationon-regulatory-proposals-on-consumer-iot-security/consultation-onthe-governments-regulatory-proposals-regarding-consumer-internetof-things-iot-security 

Building on the 2018 UK Code of Practice, the European 

Telecommunications Standards Institute (ETSI) released the 

world’s first standard (ETSI TS 103 645) for consumer IoT 

security in February 2019. Designed with worldwide needs 

in mind, its purpose is to create a baseline for IoT security, 

and will be used as the baseline for future IoT certification 

schemes. 

Other activities specifically focused on certification and 

labelling include the British Standards Institute (BSI) 

Kitemark TM for IoT devices, launched in 2018. Used for 

over 100 years, the Kitemark is a well-recognised logo, 

that indicates quality and safety in British products. Three 

different Kitemarks for IoT devices exist; residential, 

commercial and enhanced for residential or commercial 

products used in high risk or high value applications. 

Unlike the proposed UK regulation, the BSI IoT 

assessment is not self-certification based, it requires: 

• The IoT developer to hold compliance to the 

ISO 9001 quality standards. 

• Pass IoT product tests for functionality, interoperability 

and security. 

• Perform regular monitoring assessments of their 

labelled products. 

11

EU and US cyber security legislation 

The new EU Cyber Security Act will come into force 

providing ENISA, the European Union Agency for 

Cybersecurity, an ongoing mandate to help the EU achieve 

a common, high-level of cyber security across all member 

states through better communication and collaboration. 

ENISA’s remit includes the creation of a common European 

cyber security certification framework for information and 

communications technology (ICT) products, processes 

and services, including IoT. This will work alongside 

other regulation and EU directives, including General 

Data Protection Regulation (GDPR) and Network and 

Information Security Directive (NIS Directive), which, 

respectively, focus on personal information security and 

overall security and resilience of networks and information 

systems in critical sectors. 

Other regulation activities in IoT-related cyber security 

elsewhere in the world include the approval of the 

Californian Security of Connected Devices bill in USA. 

The 2018 bill aims are: 

“This bill, beginning on January 1, 2020, would require a 

manufacturer of a connected device, as those terms are 

defined, to equip the device with a reasonable security 

feature or features that are appropriate to the nature and 

function of the device, appropriate to the information it 

may collect, contain, or transmit, and designed to protect 

the device and any information contained therein from 

unauthorized access, destruction, use, modification, or 

disclosure, as specified.” 

In March 2019 the US Senate reintroduced the IoT 

Cybersecurity Improvement Act. The purpose of the act is 

similar to the activities in the UK in developing a baseline 

of cyber security requirements for IoT devices. To support 

this, the American National Institute of Standards and 

Technology (NIST) will issue recommendations addressing, 

at a minimum, secure development, identity management, 

patching, and configuration management for IoT devices. 

This legislation is likely to affect Scottish companies 

looking to export IoT devices and provide IoT services into 

the EU and the US. 

Summary 

This document has introduced IoT cyber security and 

the importance of the ‘secure by design’ principle, to 

protect end users of IoT products and services. While the 

effect of a hack on a single vulnerable IoT device may not 

seem of concern, its interconnection to other systems 

could result in a greater impact, whether it be data 

theft or incapacitating the operation of a company. 

A collective effort in following best practice will help to 

ensure that IoT users will reap the benefits without being 

exposed to unnecessary cyber security-related risks. 

To support this effort, CENSIS has been commissioned by the 

Scottish Government and Scottish Enterprise to run an IoT 

cyber security programme over 2019/2020. The programme 

of activity will include a series of workshops, an accelerator 

programme and a themed hackathon to support innovation 

and economic development in IoT cyber security. 

12

Finding IoT expertise 

If you have an idea for a product or service that could bring 

value to your business and your customers, there are a 

number of organisations who could support your plans. 

If you contact CENSIS in the first instance, we can signpost 

you to a suitable organisation for your needs, or we may be 

able to provide advice, technical support and the resources 

you need to create a full solution. 

At CENSIS we see most IoT projects starting off as small-scale 

pilots to test the functionality with off-the-shelf components 

or modular electronics. This allows users to explore what 

information is useful to gather and if the system will be 

suitable for their requirements. A smaller pilot also allows all 

the stakeholders to test, play, and understand the potential 

impact of a larger scale rollout. 

censis.org.uk 

Your first prototype 

Joining the IoT community 

in Scotland 

There are many organisations setting out on their IoT journey 

and finding value in sharing thoughts and challenges. 

With our experience across a huge range of market sectors 

and our knowledge of enabling technologies, CENSIS has 

strong relationships with Scottish companies, public sector 

organisations, university research groups and hardware and 

software suppliers. 

As part of our CENSIS community, you can join in with 

our regular IoT meetups to discuss ideas with like-minded 

people, take part in one of our hands-on technical 

workshops or come along to one of our Future Tech events 

to solve market sector problems in an open forum. 

The highlight of our year is the annual CENSIS Technology 

Summit and Conference, where we hear from challenge 

providers, meet exhibitors who are showcasing new 

technologies, and network and connect with the sensors, 

imaging and IoT community. 

There are many ‘out of the box’, turnkey solutions that you 

can buy off the shelf to let you create a first prototype and 

test your IoT solution. 

CENSIS has created a flexible IoT development kit that can 

help you get up and running with IoT quickly and without 

the need for deep technical knowledge. This has a range of 

popular sensors, communication and power options and is 

flexible to allow the user to measure and send data easily. 

It allows users to explore IoT concepts without having to 

code or configure networks themselves. 

Join our 

community at 

censis.org.uk 

13

Glossary 

Please note that details of sources mentioned in this document may be found in the online version available at: censis.org.uk/brochures 

TERM MEANING 

Adware 

Application Programming Interfaces (APIs) 

Attack surface 

Backdoor 

Boot mechanism 

Bots 

Cloud system 

Cryptominers 

DDoS 

Dashboard 

Firmware 

Hacking/Hacker 

Industrial Internet of Things (IIoT) 

Keyloggers 

Machine to machine communication (M2) 

Malware 

Port 

Ransomware 

Rootkit 

Routers 

SCADA 

Secure by design 

Spyware 

Trojan 

Viruses 

Voice over Internet Protocol (VOIP) 

Worms 

Unwanted software designed to display advertisements 

The specification and software implementation enabling programs to communicate 

The total of the vulnerabilities of a device or system 

A method for bypassing security providing access to an IoT device or system 

The process by which a device starts-up before use 

Software that performs an automated task 

Shared computer data centre providing services, such as data storage 

Software designed to generate money through complex mathematical calculation 

Distributed denial-of-service, an attack with the aim of incapacitating a system preventing it servicing genuine users 

Also known as a User Interface or UI, this allows a person to interact with the computer system, 

e.g., a computer screen, tablet, mobile phone. 

Software controlling the low-level functionality of hardware 

Breaking into electronic systems (often the term ‘cracker’ is used instead to indicate a hacker with malicious intent) 

IoT used in manufacturing and industrial processes 

Software or hardware designed to monitor and collect key-presses by a user 

Machine to machine connected devices exchanging information with other connected devices, without 

human intervention. 

Software designed with an intended malicious purpose 

A physical or virtual interface on a device for connecting to an external device(s) 

Malware designed to perform an action with intent of extorting a ransom 

Malware designed to provide covert external access to an electronic system 

A device that directs computer/IoT network traffic 

Supervisory control and data acquisition system 

Designing a product, service or process with security in mind from development stage 

A malware program designed to covertly gather information without consent 

A malware program that looks legitimate but hides its malicious purpose 

A malware program designed to spread to other electronic systems by replicating and attaching itself to 

other computer programs 

Technology to able voice and video calls over the internet 

An independent malware program designed to spread to other electronic systems by replicating itself 

14

CENSIS is the centre of excellence for sensor and imaging 

systems (SIS) and Internet of Things (IoT) technologies. 

We help organisations of all sizes explore innovation 

and overcome technology barriers to achieve business 

transformation. 

As one of Scotland’s Innovation Centres, our focus is not 

only creating sustainable economic value in the Scottish 

economy, but also generating social benefit. Our industryexperienced 

engineering and project management teams 

work with companies or in collaborative teams with university 

research experts. 

We act as independent trusted advisers, allowing 

organisations to implement quality, efficiency and 

performance improvements and fast-track the development 

of new products and services for global markets. 

Contact details: 

CENSIS 

The Inovo Building 

121 George Street 

Glasgow 

G1 1RD 

Tel: 0141 330 3876 

Email: info @censis.org.uk 

19.8.v1.ICS

Cyber Security and IoT

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?