The Internet of Things (IoT) is growing rapidly, and more and more everyday objects are being connected to the Internet and to each other. Crammed with sensors and wireless interfaces, these devices nevertheless tend to allow data security and the protection of user data, in particular, to fall by the wayside. Equipped with a range of different security levels, and often used in security-critical positions, this causes confusion and perplexity on the part of both manufacturers and users. For consumers in particular, it is increasingly difficult to judge what devices and services have which security features.
How can standards, such as the ETSI EN 303 645 testing standard, help close security vulnerabilities and gateways, and ensure secure devices? How can a Europe-wide implementation succeed? What impact will such standards have on the manufacturers and providers of IoT products and solutions?
Complexity of IoT devices creates new challenges
The sheer mass of IoT devices, with multiple different operating systems in use, are the basis of the problem: It is estimated that the number of IoT devices will increase to over 25 billion by 2030. This results in enormous complexity. It has long since ceased to be a matter of classic hardware with a processor that needs to be secured. Already, we have various designs of equipment, each with different characteristics and used in diverse areas. These can no longer be secured with a classic firewall. Meanwhile, there are new challenges in IoT that need to be solved.
Threat situation and testing
The threat situation in the Internet of Things has been steadily increasing. According to AV-TEST GmbH, the threat situation almost doubled from 2020 to 2021, with classic Trojans making up the biggest problem. IoT devices connected to the Internet can be exposed to several million attacks within a 14-day period.
As a general rule, the more data that is transmitted, the greater the likelihood that data will be intercepted. Therefore, manufacturers and providers should take care to collect only data that is actually necessary.
In general, products that are to be certified are better prepared when it comes to security. However, manual security analysis can consume enormous resources and, as a result, often only the urgent security issues are addressed, while other vulnerabilities can quickly fall by the wayside. Automation can be helpful in identifying IoT risks and vulnerabilities, including automated pentests.
Security-by-Design and the ETSI EN 303 645
In order to keep prices down, costs for security are often kept low. However, many vulnerabilities can be avoided through the security-by-design approach.
Security should be integrated into the design process from the very beginning, especially for IoT devices, and should be continuously reviewed throughout the sprints and beyond.
The test standard ETSI EN 303 645 is intended to establish the Security by Design / by Default approach. Based on this, the test specification 103 701 is to be used as a framework to introduce a harmonized test procedure and uniform seal in Europe.
The ETSI standard provides the following recommendations for the security of IoT devices:
- No universal default passwords
- Introduction of a system for managing reports on security vulnerabilities
- Software must be kept up to date
- Secure storage of sensitive security parameters
- Secure communication
- Minimization of pen attack surfaces
- Ensuring software integrity
- Ensuring the security of personal data
- Systems must be made resilient to outages
- Examination of system telemetry data
- Simplification of the deletion of user data
- Facilitation of the installation and maintenance of equipment
- Validation of input data
Currently, however, most IoT devices on the market meet just three to four of the 13 recommendations. This is because manufacturers often only focus on security if implementation is mandatory and not just recommended. Something similar was seen with the introduction of the GDPR. The obligation to protect personal data meant that action had to be taken and there was a lot of movement on the market.
So, what does it take in concrete terms to increase security in the Internet of Things?
The security of IoT devices is not yet as good as one would hope for. What would be the issues that need to be addressed as an industry and what demands on policymakers could provide good leverage to address the problem?
Recommendation-based voluntarism cannot achieve the desired effect in the long term and lead to greater IoT security. The easiest way to meet minimum security requirements for IoT devices would be a mandatory standard. However, the security requirements would have to be implementable and economical for the companies involved.
Norm, feasibility, and control
The hurdles to implementing a mandatory standard must not be too high; there would have to be funds available to meet the requirements. In addition, there must then also be opportunities for testing. So, a balanced interaction of norm, feasibility, and control should be established.
The security requirements would have to be adapted to the different use cases. For example, the same security requirements should not be placed on a baby cam and an industrial device. This would neither be feasible nor economical for the manufacturers. A tiered model that groups different IoT devices could be useful.
The problem should not be left in the hands of the manufacturers alone. There also needs to be greater awareness on the user side. Human fallibility, in particular, can also be a vulnerability in the security of IoT devices. Security features provided by manufacturers, such as dispensing with default passwords or providing the option to disconnect from the network, must also be used by the user. Therefore, both sides will always have to be active in the future to increase security in the Internet of Things.
Tatjana Hein is Project Manager IoT and Mobility at eco – Association of the Internet Industry. She is responsible for topics related to Internet of things like smart factory, smart city, smart home, and for the subject area of mobility. Before joining eco in 2020, she was content manager and creator at a European analytics provider and was also a guest author for several magazines (such as Big Data Insider, Website Boosting, UPLOAD magazine, marconomy, Contentbird). Before that she worked in an agency as public relations manager for several start-ups.