Cyber Security and IoT

More documents

Recommendations

Info

The future for IoT device security As IoT solutions evolve, so do the threats against them. In the short-term companies, can ensure that they get the basics of IoT cyber security correct. In the long-term, to ensure companies maintain cyber security, foresighting is required to identify new and emerging threats and develop methods to mitigate against these. This is being supported by governments, academic institutions, trade bodies and commercial organisations. In addition to the published Code of Practice for Consumer IoT Security, several other industry and government organisations have published their own IoT security recommendations and guides. These guides serve to support the design, manufacturing and procurement processes of IoT components and systems. While the majority of guides focus on the security of software and communications, physical security for IoT hardware is also of importance and covered in more detail in articles such as IoTSF’s physical security article. Further sources for guides: • National Cyber Security Centre (NCSC) www.ncsc.gov.uk • Internet of Things Security Foundation (IoTSF) www.iotsecurityfoundation.org • EU Agency for Cybersecurity (formerly the European Union Agency for Network and Information Security - ENISA) www.enisa.europa.eu • GSM Association (GSMA) www.gsma.com • The National Institute of Standards and Technology (NIST) www.nist.gov • OWASP Foundation www.owasp.org IoT-focused labelling, standards and legislation It is not enough to merely encourage the adoption of best practice in the design of new products or services; industry should also adopt common labelling that clearly shows consumers that best practice has been followed. Not only would this provide comfort and peace of mind to buyers; it helps a manufacturer or service provider to stand out from the competition and enhances their reputation as a cyber security-focused company. In a recent research paper by Harris Interactive, 73% of people interviewed felt it is important or very important to introduce labels that highlight the security features on consumer IoT devices. Respondents also said that they would pay up to 10% more for the product. In May 2019, the UK Government launched a consultation on its regulatory proposals for consumer IoT security, stating its ambition for the first three points of its Code of Practice for Consumer IoT Security launched in October 2018 to become mandatory. These are: 1 All IoT device passwords shall be unique and shall not be resettable to any universal factory default value 2 The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues 3 Manufacturers will explicitly state the minimum length of time for which the product will receive security updates. The consultation explored various options for the mandatory labelling of IoT devices. It is expected that security labelling will initially be introduced on a voluntary basis. Proposed labels: Positive Essential security features included DEC 2021 Security updates until at least Dec 2021 Essential security features NOT included Negative Security updates NOT provided Source: https://www.gov.uk/government/consultations/consultationon-regulatory-proposals-on-consumer-iot-security/consultation-onthe-governments-regulatory-proposals-regarding-consumer-internetof-things-iot-security Building on the 2018 UK Code of Practice, the European Telecommunications Standards Institute (ETSI) released the world’s first standard (ETSI TS 103 645) for consumer IoT security in February 2019. Designed with worldwide needs in mind, its purpose is to create a baseline for IoT security, and will be used as the baseline for future IoT certification schemes. Other activities specifically focused on certification and labelling include the British Standards Institute (BSI) Kitemark TM for IoT devices, launched in 2018. Used for over 100 years, the Kitemark is a well-recognised logo, that indicates quality and safety in British products. Three different Kitemarks for IoT devices exist; residential, commercial and enhanced for residential or commercial products used in high risk or high value applications. Unlike the proposed UK regulation, the BSI IoT assessment is not self-certification based, it requires: • The IoT developer to hold compliance to the ISO 9001 quality standards. • Pass IoT product tests for functionality, interoperability and security. • Perform regular monitoring assessments of their labelled products. 11
EU and US cyber security legislation The new EU Cyber Security Act will come into force providing ENISA, the European Union Agency for Cybersecurity, an ongoing mandate to help the EU achieve a common, high-level of cyber security across all member states through better communication and collaboration. ENISA’s remit includes the creation of a common European cyber security certification framework for information and communications technology (ICT) products, processes and services, including IoT. This will work alongside other regulation and EU directives, including General Data Protection Regulation (GDPR) and Network and Information Security Directive (NIS Directive), which, respectively, focus on personal information security and overall security and resilience of networks and information systems in critical sectors. Other regulation activities in IoT-related cyber security elsewhere in the world include the approval of the Californian Security of Connected Devices bill in USA. The 2018 bill aims are: “This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” In March 2019 the US Senate reintroduced the IoT Cybersecurity Improvement Act. The purpose of the act is similar to the activities in the UK in developing a baseline of cyber security requirements for IoT devices. To support this, the American National Institute of Standards and Technology (NIST) will issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices. This legislation is likely to affect Scottish companies looking to export IoT devices and provide IoT services into the EU and the US. Summary This document has introduced IoT cyber security and the importance of the ‘secure by design’ principle, to protect end users of IoT products and services. While the effect of a hack on a single vulnerable IoT device may not seem of concern, its interconnection to other systems could result in a greater impact, whether it be data theft or incapacitating the operation of a company. A collective effort in following best practice will help to ensure that IoT users will reap the benefits without being exposed to unnecessary cyber security-related risks. To support this effort, CENSIS has been commissioned by the Scottish Government and Scottish Enterprise to run an IoT cyber security programme over 2019/2020. The programme of activity will include a series of workshops, an accelerator programme and a themed hackathon to support innovation and economic development in IoT cyber security. 12
Page 1 and 2: Cyber Security and IoT Explaining w
Page 3 and 4: Integrating cyber security While Io
Page 5 and 6: Q How is IoT cyber security differe
Page 7 and 8: Current IoT risk areas • The Glob
Page 9 and 10: Malware Malware is software designe
Page 11: closed, hardware should not unneces
Page 15 and 16: Glossary Please note that details o

Cyber Security and IoT

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?