The Internet of Things (IoT) has become a game-changer within the last couple of years. In 2018, multiple sectors have adopted and deployed IoT solutions: hospitals, utilities, transport, manufacturing, logistics, and more. Beyond the traditional Smart Home use-case, IoT systems can enhance important functionalities: collection of new data, enabling of remote operations and predictive maintenance, etc. IoT is the new normal!
IoT is the new normal!
Defining the IoT
Most IoT systems rely on similar concepts. This paper considers an IoT system as a set of technologies that provide a service:
- Devices with sensors and actuators. They collect, process and exchange data. Devices are usually deployed remotely, in the field.
- Communication networks. They provide a communication channel between devices and with processing systems. An IoT system can rely on multiple communication networks, wireless or wired, high or low speed.
- Processing facilities. They provide the “smartness” of the system. These processing facilities can sit in devices, in mobile application, or remotely (e.g. Cloud computing). An IoT system can have one or several processing facilities.
Insecurity by design
IoT is poised with multiple security issues that could lead to risks on our privacy and safety. Every new security disclosure brings to light the vulnerabilities of IoT systems. The root cause is usually tied to limited awareness around basic security principles (limited data security, lack of secure update mechanism, usage of untrusted/insecure third-party components).
To mitigate these risks, IoT security shall follow the “by design” concept: it integrates as early as the design stage and throughout the lifecycle of a solution until end-of-life. It shall also apply a “by default” approach, so that security features are active “by default” instead of only being present as an option.
Why are IoT systems so vulnerable?
IoT is still a relatively new business model which features multiple opportunities. Every stakeholder in the value chain (manufacturers, integrators, operators, consumers, etc) can benefit from these systems to monitor, analyse and enhance their activities.
Yet, securing this “system of systems” is no simple task and remains an unclear topic due to the lack of accepted standard and too many competing guidelines (which can lead to information overhead). Hence, IoT security can quickly become a blocker (due to limited skillset, high financial cost, impact on time-to-market delivery, etc.).
Integrating security in IoT
As mentioned above, there are too many IoT security references that range from high-level security guidance to very specific low-level recommendations, which cover every component of the IoT ecosystem. However, these references are often not applied, or not applicable. There are many reasons: they are very generic, they fail to consider business objectives, or they simply talk to the wrong audience.
Integrating security in IoT requires a holistic approach that considers multiple aspects: the governance, the business environment, technologies, human factors, processes, etc. A risk-based approach integrating privacy and safety concerns can help to highlight priorities and remediate these risks adequately.
IoT security should not be the ultimate goal. Instead, it should be seen as a business-enabler, by securing critical functions, protecting valuable information and mitigating the risks associated to the IoT solution.
What incentives for IoT security?
It is always difficult to justify an investment with no incentive. IoT security could benefit from several incentives to actionize the efforts. Among these incentives, regulation, safety and privacy are the main ones that apply to vendors and users across all verticals.
There is currently no specific IoT regulation. Yet, the usage and operation of IoT system needs to comply with existing regulations and other sectorial requirements. The objective of a regulation is to define obligations and clarify liabilities. While an IoT-specific regulation might be an inconvenience (with an impact on innovation, compliance), two regulations already apply to IoT: the GDPR and the NIS Directive.
Regulation is an incentive as it defines the obligations and liabilities around security, and punitive actions around non-compliance. Both the GDPR and the NIS Directive define obligations around minimum security measures and reporting security and privacy breaches. The incentive to invest in security is double: limit the possibly to be subject to expensive fines and protect the reputation of the company by better dealing with a breach.
The fear of regulation could also constitute another incentive to invest. Thus, the industry would demonstrate they can self-regulate for the greater good, limiting the need for regulatory obligations.
Most IoT business models rely on private data collection and sharing with little to no concern on privacy and security. Yet, customers are becoming more concerned about privacy. As several events have shown recently, privacy could impact revenues and trust. A privacy incident can kill a business.
A privacy incident can kill a business
An incentive would be to secure users’ trust by integrating privacy-by-design and privacy-by-default into IoT systems. Privacy also becomes an incentive to comply with the GDPR.
Safety protects the human from the machine against failure. Safety becomes an important parameter in cyber-physical systems, as they interact in the physical domain following decisions made in software. In IoT and Industrial IoT, safety-functions are managed by software and a vulnerable IoT system is potentially unsafe: a safety incident can kill.
A safety incident can kill
The concept of security for safety intends to secure these critical functions to limit their exposure to threats and that a cyber incident cannot impact safety. Moreover, the NIS Directive mandates “operators of essential services” to secure their critical assets which are usually safety-critical systems.
A corporate strategy could integrate the importance of security for IoT, either because a business wants to mitigate the associated risks or as part of their social responsibility. For example, IoT security could benefit from measures defined in existing security policies (e.g. collaboration with external stakeholders, threat intelligence, etc.).
IoT security can be an opportunity for a business. In particular, manufacturers and vendors who want to limit the risk of having their brand tarnished by a vulnerable IoT product. Moreover, investing in security by design at the start of a project would limit operational expenditure, in particular after an incident.
Security requirements in contracts define the obligations of a supplier. These obligations could be very specific (e.g. specific level of encryption) or at higher level (e.g. incident handling). For IoT customers, these contractual requirements should ensure a security baseline for all third-parties.
The fact that IoT security is still at its infancy offers a chance to differentiate from the competition through security. Introducing IoT security would effectively give an attractive advantage to a solution, which would effectively be more secure than the competition.
IoT security is a complex task that requires a holistic approach. While there is currently no standard, there is a need for a cross-sector baseline with “minimum” security measures. This baseline would promote security practices applicable to IoT systems, and include technical (over-the-air updates, key management, encryption, etc.) and non-technical elements (incident handling, information sharing, etc.). Additionally, sectorial guidelines would enhance this baseline with targeted security measures (e.g. focus on privacy and data integrity for healthcare, focus on resilience and integrity for transport, etc.).
Awareness around IoT threats and associated risks is also key (a compromised IoT system could provide access to non-IoT systems), as several vendors promote their IoT solutions as “secure” for multiple wrong reasons, which gives a false sense of security to their customers.
Defining liabilities around IoT would definitely improve the current status. However, it is usually done through regulation, which might take time and not be adapted. To anticipate a potential future regulation, several vendors are leading by example and have started to invest in IoT security.
There are several discussions and projects around an IoT trust label. Such a label could provide an interesting tool to 1) define key IoT security measures, 2) assess the implementation of IoT security against these measures, 3) enhance awareness around IoT security.
To conclude, there is no definitive solution to ensure IoT is secure. The key message is to follow a holistic approach and invest in security where it can present benefits for vendors, customers and end-users: to protect privacy, to ensure safety, and become a business-enabler.
Cetome is an independent security consultancy based in London, UK and Lyon, France and operating globally. We work with organisations where security is important and that need to tackle several challenges in terms of resources, capabilities or skills. Most of our clients have an international presence and 250+ staff. At Cetome, we understand the challenges of IoT security and its complexity. We work with IoT manufacturers, service providers and users of consumer and industrial IoT systems to protect these solutions from cyber threats. Our experts make sure that your activity is secure against cyber risks by implementing accepted security measures and help you prepare to future certification.
About the Author
Dr. Cédric LÉVY-BENCHETON is the CEO and founder of Cetome. Cédric has expertise in IoT security. Cédric previously worked at ENISA, the European Union Cyber Security Agency. Before that, Cédric designed critical networks for public transports.