We are moving toward a fully digitalized and connected world. The way we work, the way we communicate, the way we interact with our ecosystem…is changing.
This is also becoming the reason why companies that were typically analog and ‘offline’ (in terms of connectivity), are now becoming Internet companies. The IoT era will bring many advantages, but also risk and security issues that are inherent to having everything connected.
The threat is real. Several examples in the past years have demonstrated how vulnerable a system can be when security issues become ‘the elephant in the room’, always there but with nobody willing to tackle the issue:
Most of these problems are not new (e.g. DDoS attacks have been always there) but they get to be magnified thanks to the number of IoT devices can be found outside. By incorporating all kinds of IoT devices, the attack surface of any system becomes larger, and the existence of weak links more prone to be exposed and identified. Imagine what could be done with 30.7 billion devices predicted by 2020 being part of a massive and malicious bot net.
The lack of regulation and standardization regarding IoT security has helped to reach this situation. Also, the lack of proper security awareness from IoT developers, many lessons learned on other IT areas (importance of secure communications or strong authentication mechanisms) seems to be forgotten when we reach the IoT ecosystem.
However, this may change in the short term. Most governments, especially in Europe and USA, are worried about this absence of security. In Europe, IoT devices handling personal data should protect their integrity and confidentially, both at rest and transit, according to the European General Data Protection Regulation (GDPR). The lack of a proper update mechanism could be a real headache if your company is under the scope of the Network and Information Systems (NIS) directive (think of IoT devices for Industry 4.0). It is true that the above mention regulations were not directly thought to tackle IoT, but they have major implications for IoT solutions.
In the USA, the state of California has passed the SB-327 Information privacy bill into law. It is the first regulation for IoT security in the States — I would say for any western country. This will stop bad practices, such as the use of insecure default passwords within IoT devices sold in the state of California from January 1st, 2020. The first real milestone towards regulating IoT security.
Furthermore, cybersecurity is becoming a main concern for several safety-critical industries such as automotive, aerospace or healthcare. As those industries connect their operational systems, security risks are turning into safety risks and can no longer be avoided. Some regulation initiatives for those sectors are being discussed right now, such as the SPY Car Act or the Medical Device Cybersecurity Act in the USA, or a commission for drone cybersecurity requirements in Spain.
Developing a security certification scheme for IoT solutions can be an answer to asses compliance with the requirements of the future (and present) regulations. However, there is still no adequate security certification scheme for IoT. There are two main reasons: The first one is that current schemes such as Common Criteria (CC) do not fit well with the time to market demands of most IoT products – good high assurance security certification but not as lightweight option. The second is the huge range of products that fall under the name of IoT (connected cars, drones, smart meters) that will require a specific certification process for each of them. The upcoming European Certification Framework may be able to solve both issues.
In the meantime, several guidelines and recommendations have been published to help IoT developers understand and improve the security of their solutions:
Applus+ IT laboratories can help you check the compliance with any of these guidelines or give you technical support to improve the security of your IoT Solution. Our experts can support you from the very conception of the product (threat model, risk assessment) through product development (training, source code review), product testing (vulnerability analysis and pentests) and certification (official certification scheme, such as CC or private security assessment).
More Info about Appus+ Laboratories cybersecurity evaluations for IoT.