Joe Lomako, Business Development Manager (IoT) at TÜV SÜD, a global product testing and certification organisation, details the threat IoT devices have to the security of an organisation, and how to build up a defence.
As devices, systems and processes become increasingly digitalised and interconnected, the Internet of Things (IoT) opens a wealth of opportunities for consumer products, connected wearables, home automation and connected health etc. However, they also present a cyberattack opportunity for criminals.
The introduction of the NIS Directive (security of network and information systems) in Europe is intended to improve this situation, but uptake is slow, as is the introduction of the standards required to assist in improving cyber security. However, standards do exist or are being developed by international organisations aimed at providing baseline protection, which would help to deliver basic security provisions as a first line in cyber defence. Examples include, not having default passwords or ensuring that a device’s software can be updated ‘over the air’.
Globally accepted standards provide a basis for mutual understanding and create an effective medium for communication. If all stakeholders are working to the same standard, this promotes interactivity and interoperability. Standards in IoT apply to many different areas and disciplines, however, but two important areas are protocols and security.
The protocol standards are developed so that technologies from different manufacturers can interoperate and communicate. For example, two Bluetooth headsets from different manufacturers can both communicate with ease to the same mobile handset because they have followed the same standards. Standardisation in cybersecurity sets a baseline for applying the same set of rules to determine a basic protection provision and a means of assessing threat resilience.
The European Union’s Cybersecurity Act – Regulation 2019/881 is already in place and has two main objectives. Firstly, strengthening the mandate of the EU Agency for Cybersecurity (ENISA), which contributes to cyber policy; enhances the trustworthiness of products, services, operational cooperation; and promotes knowledge. Secondly, it aims to establish an EU-wide cybersecurity framework.
As for impending legislation, it has recently been announced that Articles 3.3(d)(e) & (f) of the Radio Equipment Directive have been adopted, paving the way for further cybersecurity standardisation. While this is currently being reviewed, the most likely approach will be to require that radio equipment incorporates safeguards that ensure the personal data and privacy of the user and subscriber are protected, and that radio equipment supports certain features ensuring protection from fraud. It would also mean that radio equipment would need to support features that ensure that software can only be loaded into the radio equipment once the compliance of the combination of the radio equipment and software has been demonstrated.
Two important documents that are presently in use, which specifically relate to IoT devices, are Guidelines document NIST.IR 8259 (US) and the Standard EN 303 645 (EU). The EN 303 645 covers only consumer products, whereas the scope of NIST.IR 8259 is not confined to consumer products and its general principles can therefore be applied to help demonstrate a baseline of cybersecurity protection for any IoT product.
Although legislation has yet to be introduced in Europe, assessment can still be performed using the EN 303 645 standard. An accompanying document, TS 103 701, provides a test methodology to be used. However, in the near future this may change as more standards are developed.
Also, now that the UK has left the EU, it is preparing new legislation derived from the EN 303 645 standard, and this is strengthened by the recent introduction of the Product Security and Telecommunications Infrastructure Bill (PSTI), and it will be initially limited to three security requirements:
- A ban on universal default passwords in consumer smart products
- The implementation of means to manage reports of vulnerabilities
- Transparency as to how long a product will receive security updates.
There are other existing standards which are aimed at improving security from network infrastructure to devices. For example, it is possible that industrial IoT devices and systems could be certified under the IEC 62443 series of standards, as part of a larger installation. This standard series addresses security for industrial automation and control systems (IACS).
Although it may seem that the standards do not cover everything, they do at least offer a first line of defence from cyberattack. However, manufacturers should also consider their own cybersecurity programmes as there are other options outside the present standards landscape. This includes more stringent, bespoke testing or “penetration testing” and the necessity to think “secure by design” from the onset and take a proactive approach to cybersecurity by recognising that attacks are “when not if”.
Threat resilience should also be an iterative task. Not all threats may have been discovered during the first assessment. It is therefore very important to ensure up to date compliance with all standards and constantly review your ‘cyber resistance’ status. Ongoing investment in cybersecurity is therefore crucial to keep up with technological development, as cybercriminals rapidly develop new forms of attack. Tackling the problems of cybersecurity risks can therefore only be realised by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence.