Executive Summary

ENISA and Europol organised the third IoT Security Conference (or #IoTSC19) in Athens the 24 and 25 of October 2019. The objective of the conference was to discuss on the current state of IoT security and its challenges as well as standardisation and certification. The conference also focused on related topics such as Cloud, Artificial Intelligence and 5G.

The first day presented the current state of IoT security. Most speakers were from the public sector or not-for-profit organisations. There was a general consensus that IoT systems are still insecure in the light of several recent cyber attacks. This signifies the need to simplify existing guidance to facilitate their adoption and implementation. For that purpose, international standards are being developed: for manufacturers (to implement security) and for security assurance testing (in preparation of the EU Cybersecurity Act)

The second day was divided into two parts. The morning focused on Artificial Intelligence (AI). It is admitted that AI can support existing security practice. However, it introduces its own challenges in particular around security. The afternoon presented several efforts aimed to simplify the adoption of IoT security. Several solutions are being developed in order to provide sufficient support to IoT developers and manufacturers.

The IoT Security Conference has raised several interesting points for IoT security:

  • IoT security is difficult and very hard to implement. Existing solutions are not actionable.
  • It is important to provide simple and applicable solutions for developers and manufacturers. Some organisations are already doing it.
  • New standards are being developed to help manufacturers and testers.
  • There is an on-going international coordination between public and private actors to make this happen.
  • The EU Cybersecurity Act is a strong enabler for the adoption of these standards.

Cetome is directly contributing to several of these initiatives, as we focus our efforts to facilitate the preparation and implementation of future standards.

Introduction

The third edition of the ENISA/Europol IoT Security Conference (or #IoTSC19) has just concluded. The conference took place in Athens over the span of 2 days to discuss on IoT security and emerging related topics such as Artificial Intelligence and 5G.

Over these two days, several presenters gave their opinion on the current status of IoT security, its challenges as well as future evolutions. These presenters were diverse with representatives from the public-sector, not-for-profit initiatives and private companies (vendors, industries, consultancies).

This paper is a debrief on the conference in chronological order. It gives insight on the key points from each presentation, with a short high-level summary (“TLDR” or Too Long; Didn’t Read”). All opinions are personal to the author.

Disclaimer: The author has created the IoT security and Smart Infrastructure domains when working at ENISA. He is still contributing to ENISA’s work as a member of the IOTSec expert group. This article remains impartial towards the agency and is unaffiliated to any presenters or organisers of the ENISA/Europol IoT Security Conference 2019.

Day 1, Morning
Welcome Session

The first morning focused on the European Commission entities and their work on IoT security: ENISA, Europol and DG Connect.

ENISA
ENISA efforts in critical infrastructure

ENISA, the European Union Agency for Cyber Security, presented its efforts around IoT security and smart infrastructure. The speaker explained the relationship between IoT and other technologies such as AI, 5G and Cloud. Their combination is creating innovative use-cases which are driving new business models and changing our society. ENISA named several examples of IoT systems providing data entry to AI systems: autonomous cars, Industry 4.0, connected healthcare systems.

ENISA noticed that ~70% of IoT security issues are common to all sectors, which is why the agency published a baseline security paper to tackle IoT security. ENISA is collaborating with other international organisations (such as NIST) to secure IoT. One important concept is “security by default”, as users and consumers expect IoT systems to work out-of-the-box.

ENISA has mentioned several challenges to achieve a more secure IoT ecosystem: the lack of IoT security specialists, new architectures (e.g. edge computing) that change the existing paradigm and increase the threat landscape. Still, there is an evolution which will only continue with current and future regulation (e.g. the NIS Directive targeting Cloud Service Providers).

TLDR: ENISA offered a good reminder on the current status and challenges of IoT security. A lot of on-going efforts on this front, internally and through external collaborations.

Europol
Internet of Threats

Criminals have used insecure IoT devices to launch DDoS attacks in the past (e.g. the Mirai botnet). They now target insecure IoT systems with ransomware. Europol presented the changing role of law enforcement in a connected world with a focus on AI.

Law enforcement looks at IoT as opportunities to protect and solve crime: they use drones, they collect data from IoT devices to help their investigation, etc. They also use AI systems to help translate slang words, or perform image and video recognition on criminal material. Europol has a very realistic point of view on AI: these systems can help but it is important to offer something that can be replicated, to serve as a proof in court!

Among key challenges, law enforcement needs to develop the tools and skills to use AI. This is really important for them, as criminals are already using AI in their operations (e.g. deep fakes for extortion). For that purpose, Europol is reaching out to the younger generation with an interest in technology and cyber security.

TLDR: Europol has a challenging job by being both a user and a defender of these systems.

European Commission – DG Connect
EU Actions in cybersecurity

The European Commission provided an overview on their different efforts in cyber security. For example, the EU Cybersecurity Act introduces a standard certification scheme, the NIS Directive focuses on the security of essential services, the GDPR protects our personal data, etc.

The European Commission promoted a risk-based approach for all the elements of IoT systems. The Cybersecurity Act follows this principle by proposing three assurance levels. In 5G, they recommend actions at national and Union level (cf. their latest report: "EU coordinated risk assessment of the cybersecurity of 5G networks").

The European Commission has invested more than 63.5 M€ in four cyber security projects. Most of these projects are technology-focused. Their intention is to create more projects around prevention.

TLDR: The European Commission has multiple initiatives around IoT and cyber security that appear disjointed with very expensive projects. They want to fund new projects around security prevention.

Day 1, Afternoon
Session 1 – IOT SECURITY: STATE OF PLAY

The afternoon focused on several IoT security initiatives around the world from governmental agencies, academia and not-for-profit actors.

NIST
Cybersecurity for IoT Program

NIST is the US National Institute of Standards and Technology, which is not regulatory body. NIST provides several guidance around IoT security as they believe one size does not fit all.

NIST has published NISTIR 8228 which refers to the management of IoT security within an Enterprise IT environment. NIST will soon publish NISTIR 8259: a core baseline for IoT Security. This baseline targets manufacturers of IoT systems. It will later be complemented by sector-specific guidance.

In NISTIR 8259, an IoT device possess capabilities provided by the vendor (example: ability to change a password). These capabilities are enabling the implementation of security controls. The objective is that the core baseline is achievable, as NIST recognises that setting the bar too high will be counterproductive. For that purpose, NIST is working with ISO to transform its baseline into an international standard.

TLDR: NIST provides simple and applicable security guidance to IoT users and manufacturers. NISTIR 8259 should help manufacturers, and is being proposed for ISO standardisation.

World Economic Forum
The future of IoT security

The World Economic Forum (WEF) wants to be a platform to bring IoT security stakeholders together. The intention is to remain impartial and welcome debate.

After presenting a list of threats and risks to IoT systems, the presenter focused on two important domains of interest: tackling cybercrime and providing cyber resilience in the aviation domain. The presenter did not explain the rationale behind the choice of these domains.

TLDR: The WEF wants to be an exchange platform. They focus on very niche use-cases.

NCSC UK
Secure by design: Towards Pragmatic Standards & Legislation

The UK National Cyber Security Centre presents their approach to secure IoT. The NCSC worked with academia and the industry to develop the “secure by design” code of conduct which contains 13 principles. Its purpose is to support IoT systems manufacturers.

The NCSC worked with ETSI to publish technical specifications (ETSI TS 103 645) based on the code of conduct. This standard proposes several steps to successfully implement the guidance. The NCSC is collaborating with international stakeholders to extend this TS into a European Standard (ETSI EN 303 645), which will contain more implementation details.

The NCSC is contributing to another technical specification (ETSI TS 103 701) to test the implementation of IoT security. This reference will support testing laboratories by providing a standard methodology. This is also a possible candidate to provide certification under the EU Cybersecurity Act.

TLDR: The UK NCSC is working with other organisations (public and private) to develop ETSI standards for IoT security development and testing.

IoT Security Foundation
Presentation of the IoTSF

The IoT Security Foundation (IoTSF) is a not-for-profit organisation which develops its own guidance for IoT devices. The presenter reminded us the difficulties of security IoT, with major supply chain issues, the cost of security, etc. But he also emphasized that the cost of not doing IoT security is higher!

The IoTSF success formula for IoT security is: “Keep it easy” and “Work together”. They believe every IoT manufacturer must do security by design. They acknowledge it is difficult or everybody would do it.

The presenter (who works for Arm) also explained that the IoTSF is looking at providing guidance around Arm’s Platform Security Architecture.

TLDR: The IoTSF offers guidance to help IoT device manufacturers embed security by design. They consider providing guidance around Arm’s Platform Secure Architecture.

Research Institutes of Sweden (RISE)
Presentation of the Concordia project

RISE is part of the Concordia project, a H2020 research project in security. The members of the Concordia project are research several domains around IoT security. For example, they established a large threat intelligence database.

Concordia is working on “zero-touch security” to support security by default. This concept enhances X.509 certificates and PKIs. Concordia also explores automatic remote firmware update and trusted execution environment.

TLDR: The Concordia project is exploring various solutions to implement IoT security, from threat intelligence to automatic remote firmware update.

Test)Aankoop
Consumer IoT: insecure by default

Test)Aankoop (TA) is a consumer association that is trying to bring more visibility on IoT security to consumers. TA is testing the security of consumer IoT devices independently (through partners from various testing labs across Europe).

TA found several examples of insecure IoT devices, with an impact on personal data (smart watch for kids) but also physical security and safety (smart lock that exposes the physical address and that can be opened remotely with no authorisation). By following a responsible disclosure process, TA alerted the manufacturers so that they could fix the flaws.

Through a survey, TA found that most customers are actually worried about insecure IoT (between 72% and 85% depending on the country). TA believes in 3 regulatory enablers: the EU cybersecurity act to display the security level, a (possible) delegated act in the Radio Equipment Directive, and the GDPR to secure personal data.

TLDR: Test)Aankoop gives a better visibility on IoT device security by performing security testing. TA believes in a regulatory approach to security.

Cloud Security Alliance
IoT Security Controls Framework

The Cloud Security Alliance (CSA) is famous for its Cloud Controls Matrix framework. The CSA looked at IoT because it found that traditional security controls cannot apply, in particular when most devices are built without security in mind.

The CSA developed the IoT Security Controls Framework to secure the broad scope of IoT: it includes governance, development and operational controls which can be quite specific for some technologies (e.g. MQTT, Zigbee...). The framework proposes a total of 160 controls under 26 main categories, with additional sub-categories. The presenter explained how to use the framework: controls aim to reduce a risk impact level, depending on the device, edge or Cloud.

TLDR: The CSA has developed a security controls framework based on risk-levels that tries to cover the broad scope of IoT.

Cabinet Office – Japan
Securing IoT and their supply chains: SIP/CPS, a government programme in Japan

The Cabinet Office in Japan has launched an ambitious programme to secure their critical national Infrastructure in prevision of the Tokyo 2020 Olympics. For Japan, IoT is bringing us to “Society 5.0”.

The Cabinet Office identifies the supply chain as a major risk. They highlight the need for a chain of trust for IoT and the supply chain. They propose to create industry-specific profiles for this chain of trust, with three phases: the creation of trust, the validation of trust, and the verification of trust.

The Cabinet Office has launched three projects to validate each phase via practical experiments in smart manufacturing, logistics and buildings. They awarded the project to public/private consortiums composed of industrials and academia. They are also reaching out to the wider international community in order to make their research relevant and harmonised with other international efforts.

TLDR: The Cabinet Office in Japan is validating the applicability of IoT security guidance in three projects, in partnership with Japanese corporations.

Day 2, Morning
Session 2 – Artificial Intelligence Security

The second day started with a new topic: Artificial Intelligence. It explored the relations between AI and security from users and developers of AI.

Siemens
Industrial security meets Artificial Intelligence

Siemens is investing in digitalisation in many domains. For example, they use machine learning to improve the design of their turbines for energy generation and reduce pollution. Doing that, they are effectively looking at IT/OT convergence and associate security issues.

The presenter mentioned some security challenges related to IoT systems, and explains why Siemens has invested in automation: the higher attack surface, more alerts to process, and not enough people to do it. However, he acknowledged that detecting anomalies is complicated, particularly for OT systems where it is important to understand the process.

For Siemens, AI systems must not be thought as a silver bullet. The presenter explained the importance to set very strict boundaries (i.e. a hard stop) with AI systems to avoid creating a safety issue.

TLDR: Siemens uses AI to help their OT security. Their motto: when industry meets security, it needs AI and when AI meets industry, it needs security.

IBM
Threat management in the age of AI and IoT

IBM surveyed several CISOs and found they face multiple challenges when it comes to securing IoT. For example, it is difficult to integrating IoT with existing threat management programmes.

IBM presents some interesting statistics on this topic:

  • 69% of enterprises have more IoT devices on their networks than traditional endpoints.
  • 67% of surveyed have experienced a security incident related to unmanaged or IoT devices (source: FBI).

IBM developed an AI system to support CISOs and security operations. The system performs correlation between logs and known Indicators of Compromise retrieved via threat intelligence and augments the detection with pattern matching. This tool can reduce alert fatigue from security analysts, as it helped discover unknown security issues such as an Advanced Persistent Threats and existing compromised IoT devices.

TLDR: IBM is consolidating its existing efforts around AI and security to improve the life of security analysts.

Crowdstrike
Divide and Conquer, securing the internet of things is solvable

Crowstrike started with some important statistics on security breaches in IoT and Industrial IoT/OT systems. The presenter explained that most attacks only require one single device accessible, as it is very likely insecure and yet trusted by other systems. For that purpose, IoT users must not assume that IoT systems implement any security controls.

The presenter reminded us that IoT security needs to be thought about differently than traditional IT security. He also explained how Crowdstrike developing tools to identify Indicators of Attack by correlating different behavioural patterns.

As a lawyer, the presenter presented his view on certification. He believes that certification should be realistic, and its limitations understood. For example, a certified antivirus that is never updated is insecure. He an outcome-driven approach for certification.

TLDR: IoT security shall be prioritised (per device, per usage). Certification must use an outcome-driven approach.

European Commission Joint Research Centre (JRC)
Cybersecurity and Artificial Intelligence

The Joint Research Centre is working on AI systems for security. They believe that AI is good for several tasks, in particular for behavioural analysis (e.g. malware discovery), security automation (e.g. log analysis).

The presenter explains the importance to protect AI components from traditional security issues as well as from new threats, such as data poisoning or attacks on the algorithm. As a researcher, he recognises the gap between academia and the industry needs.

TLDR: AI and cyber security are being researched by the European Commission Joint Research Centre. They focus on AI to support existing cyber security practices.

Day 2, Afternoon
Session 3 Operational IoT Security

The last session concluded the conference with operational IoT security practices. The presentations explained their experience with IoT Security and detailed their solutions to make it achievable.

CERT-EU
IoT Security

This presentation was classified and its content cannot be shared.

TLDR: CERT-EU promotes collaboration and encourages to keep security simple, because it has to be applicable.

Arduino
The evolving (IoT) security landscape

Arduino is a hardware manufacturer: their devices are principally used as IoT enablers (i.e. to build IoT devices and applications). Their CISO explained how difficult it can be to develop IoT application. He found the Cloud to be challenging due to the lack of standard (in protocol, for data storing) and interoperability between platforms.

Arduino recognises that the IoT landscape is really fragmented, and that the rise in technology does not make us more secure! In hindsight, IoT makes things more complicated and different than what developers and manufacturers are used to. The presenter then explains the most common misconceptions that led to IoT in security (e.g. changing the password for a service does not protect the device).

However, the presenter found that many organisations do not have Incident Response capabilities, which can lead to panic and further compromise. He also recognises that bug bounty should not be an immediate response to security and invites manufacturers to work on their internal and external processes first.

To conclude, a secure element is now integrated in some Arduino boards. This should provide additional security capabilities to their customers.

TLDR: Arduino has an interesting vision on IoT security: they embed it in their products but efforts are still required from their customers.

ICANN
Securing IoT Devices - The DNS angle

ICANN starts the presentation by reminding that DNS is quite important for Internet communications, and for that reason it is important to know how it works. Indeed, DNS is insecure by default. The presenter mentioned several initiatives to make DNS more: DoH and DoTLS to protect users’ privacy, DNSSEC and Multi-Factor Authentication to protect the architecture and prevent unauthorised transfer.

The presenter also explains that most of us think IoT and Smart Homes as cool! However, they can also really help the life of certain categories of persons, for example when they are handicapped.

The presenter concludes by the importance of understanding how legacy protocols work, and why their implementation matters. As a solution, she proposes to have a secure DNS library for IoT that can be easily implemented by developers.

TLDR: ICANN pushes for secure DNS and recommends developing a secure DNS library for IoT developers/manufacturers.

OWASP
OWASP IoT Project

Disclaimer: the author is a contributor to the OWASP IoT project.

OWASP is a not-for-profit security organisation that proposes tools and frameworks to facilitate security in IoT, web and mobile applications, among others. OWAPS is famous for its “Top 10” which lists the top 10 things to avoid. The IoT Top 10 was published at the end of 2018 and will be updated next year.

OWASP is working to make this Top 10 more usable and applicable: they are discussing to add a reference secure architecture. They also mapped the Top 10 with several industry publications and sister projects, such as ETSI TS 101 645.

OWASP has several future projects to support developers and security testers:

  • IoT GOAT: a deliberately insecure firmware which is seen as a learning platform
  • A firmware security testing methodology: with 9 stages for firmware security assessment including screenshots and a companion VM
  • The ISVS (IoT security verification standard): a basis for testing IoT with several assurance levels.

Since IoT is quite a wide area, OWASP is restructuring the IoT project in 3 big groups: seek & understand, validate & test, governance.

TLDR: OWASP is promoting IoT security on various fronts and it's free!

ENISA
Secure Software Development Lifecycle for IoT

Disclaimer: the author is part of the ENISA IOTSec expert group that contributed and reviewed this paper.

ENISA concluded the conference by presenting their work on secure SDLC, which complements the ENISA IoT security baseline.

ENISA explained that their study shall provide actionable measures to embed security by design into the software development life cycle. ENISA follows its methodology where they map threats and assets, in order to understand what to protect within the SDLC process. The security guidance was developed accordingly and integrates the lifecycle of IoT assets, from inception to disposal.

ENISA mapped their good practices using the traditional People/Processes/Technologies with sub-categories to make the report digestible. They also mapped their good security practices to 72 standards and guidance. The report will be available in mid-November.

TLDR: ENISA is trying to help implement security by design. Report will be out mid-November.

Conclusions

The third edition of the IoT Security Conference presented several on-going efforts to secure IoT and emerging technologies that rely on IoT (e.g. Artificial Intelligence). It is accepted that IoT security is more than needed. However, it is also recognised that IoT security is hard, and the large amount of guidance and recommendations makes it more difficult.

Everybody seemed to recognised the need for standardisation and certification. These efforts are led by ETSI and NIST, with support from ENISA and private stakeholders. Several initiatives seem to support this fact. Japan is also running projects to implement and validate how security can realistically apply to industrial IoT systems and critical infrastructure.

The AI track has shown how AI could become a good companion to support and improve existing security practice, although it presents several new security challenges that are not easy to manage.

The fourth edition will take place next year and new systems such as AI and 5G.

About the Author

Dr. Cédric LÉVY-BENCHETON is the CEO and founder of Cetome. Cédric has expertise in IoT security. Cédric previously worked at ENISA, the European Union Cyber Security Agency. Before that, Cédric designed critical networks for public transports.

About Cetome

Cetome is an independent security consultancy based in London, UK and Lyon, France and operating globally. We work with organisations where security is important and that need to tackle several challenges in terms of resources, capabilities or skills. Most of our clients have an international presence and 250+ staff.

At Cetome, we understand the challenges of IoT security and its complexity. We work with IoT manufacturers, service providers and users of consumer and industrial IoT systems to protect these solutions from cyber threats.

Our experts make sure that your activity is secure against cyber risks by implementing accepted security measures and help you prepare to future certification.