(This is a personal view of the author and does not reflect the view of any of the Standardisation Groups or Organisations he participates in!)
You all know the issues and read about it regularly in the press reports – Baby monitors and Cameras accessed remotely, Cars hijacked (like the famous Jeep take over), Televisions with viruses, talking Home Speakers and many other incidents.
Many of these can be prevented by some simple security procedures, which are now freely available to help people who design connected things. Here is some background to the various activities that are happening now, and what we can expect in the future.
The initial work was done by the IoT Security Foundation [i], who produced some great documents describing the sort of security methods that you should be taking, like eliminating default passwords by forcing change, boot protection, update security and a few simple ideas. It also encourages Companies to have a vulnerability disclosure scheme, to pick up errors and correct them – apparently less than 10% of Companies even have these! They have some great (free) documents, including DIY Certification.
This initiative was taken up by Governments, so for example in the UK the Department for
Digital, Culture, Media & Sport (DCMS) published in February 2019 their own document [ii] – A Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home. This is linked to their “Security by Design” ideas. It brings together, in thirteen outcome focused (I like that phrase) guidelines, what is widely considered as good practice in IoT security.
At the same time ETSI (European Telecommunications Standards Institute) published a Telecommunications Standard on IoT Security, which can be used as a basis for Manufacturers and Suppliers across Europe. You can read the press release on how The ETSI Technical Committee on Cybersecurity (TC CYBER) released ETSI TS 103 645, a standard for cybersecurity in the Internet of Things via the link below. The idea of the standard is to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes. You can also use the link to download a copy [iii].
Notice in the above the mention of a Certification scheme – ETSI is working on an EN which has a legal status within Europe, and this can be used so that manufacturers can meet a Certification scheme under the Cybersecurity Act [iv] – let’s hope we will see this soon.
So now we have a pathway for the future, where we can have Certified IoT devices with security, something that has been long needed. There are other such ideas, for example the Radio Equipment Directive [v] proposes that Privacy and Security should be part of the requirements: That’s the one that goes towards the CE [vi] mark that you see on equipment. Now that’s something I have doubts about, as I think that Technical Requirements should be defined by Technical people and not Lawyers, and there is no need for there to be more than one IoT security requirement, as it will just cause confusion.
So, what can we expect? A perfect world secured IoT devices? Of course not, we all know that won’t happen, but at least it will force a thinking process, and make things better for the average consumer device and user. It will, of course, not protect Critical Infrastructure, for that much better security design is required.
For us involved in Telecommunications it will ensure that our terminals are more secure, and at least reduce the amount of Customer Confusion, help maintain their Privacy and maybe even reduce Fraud. I also have in mind a simple set of security requirements like the IoT ideas, to secure a Telecommunications Operator, but that is another story ……