Security in the Internet of Things: The world needs sensible standards
Photo: Montri Nipitvittaya – shutterstock.com
From the smallest sensors in cell phones or cars to complete production plants in industry – more and more devices are networked with each other via the Internet of Things (IoT). At the end of 2019, there were already around 27 billion IoT devices, which translates to almost three IoT devices per person.
According to expert opinion, this ratio will multiply in the coming years. One reason for this is not least the many advantages that companies benefit from when using IoT devices in an industrial context. The whole concept of Industry 4.0 is based on the idea of networking technical systems with one another in such a way that they can independently exchange information and communicate with each other. Due to this intensive data exchange, completely new requirements have to be placed on the security of the IoT devices.
Devices that are networked in the Internet of Things (IoT) have the same problem as any computer: they can be attacked from the outside. For every form of communication, be it verbally between people or electronically between machines, there are ways to listen to or manipulate them. To prevent this, IoT devices as well as computers must continuously meet current security requirements. With consumer products, this is comparatively easy in an ideal world. The manufacturer identifies a security risk in the software of his device, develops a patch to fix the problem and installs it on his devices via an over-the-air update.
However, if it is necessary to update the software of an industrial system in whole or in part, significantly greater hurdles await those responsible. In industrial production, for example, there is no guarantee that machines or components will be continuously connected to the Internet. In such cases, an independent update of the software is only possible via detours. It is therefore the responsibility of maintenance or IT security personnel to keep themselves informed about patches and to plan and monitor their delivery and installation.
This in turn leads to the next hurdle: Does an update require a system shutdown or a restart? While there is little planning effort involved in restarting a smartphone, an industrial system requires meticulous preparation, as there are a number of factors to consider: How does a stop influence the work of the systems in question? Can this happen during ongoing operation or do special maintenance periods have to be observed? Last but not least: How is the importance of the system to be classified, is it relevant for security? In addition to technical and organizational problems, switching off a system means a loss of sales.
Due to this increased effort, it can more easily occur in the industrial context that gaps in the security of IoT devices are closed more slowly (or not at all) than would be technically possible.
If you think about how to increase the security of IoT devices in general, a look at ‘Best Practices’ helps in other areas: Technical norms and standards are already being used successfully in other areas of application to assess the security of products and systems and ensure. Examples of this are the Machinery Directive or the CE marking. These not only protect the life and limb of users and customers, they also create trust in them, because they promise them an objectively assessed claim to functionality and safety.
Such a standard in conjunction with certification is now required for the security of IoT devices. Such a standard would allow a greater focus to be placed on its safety right from the product design stage and then be checked regularly and reproducibly. By standardizing security requirements for both production and operation, the security of the systems can be increased sustainably. There is also a positive side effect: If such standardization alone could better secure half of the IoT devices in use, this would have an indirect positive impact on “non-standardized” devices, since the attack surface in the network is reduced would.
When working out the required security standards, different levels of the requirements would of course have to be taken into account, on the basis of which the corresponding IoT devices have been developed and then tested.
The basis should be the relevance of the respective system. For example, it is manageable if the LED lamp in a smart home device shows the wrong color due to a fault; However, if an industrial machine does not recognize the data of a sensor in an emergency or evaluates it incorrectly, this can have serious consequences. This is another aspect why the security of IoT devices must be testable and certifiable. In addition to increased trust and security, sensible standards and independent controls also offer another advantage for companies: legal protection in the event of damage.
A first step towards uniform security standards and reviews in Europe is the cyber security act. This should regulate and strengthen the requirements and the awarding of certifications in Europe. It therefore offers a legal basis for the efforts towards certification in the IoT area. As part of the legal act, it was also decided to establish the European Stakeholder Cybersecurity Certification Group (SCCG), a body that is to help define the framework conditions for cybersecurity certifications in the EU.
The committee is made up of 50 members from across Europe, from academic institutions to standardization organizations and consumer protection institutions. One goal of the panel is to create a uniform certification system for cyber security in the EU, which should also serve as a guide for consumers. These supranational efforts by the EU show how current and important uniform security standards are also classified there.
The introduction of generally applicable guidelines and requirements are the next logical step in the introduction of IoT. The more data is in circulation, the greater the temptation for criminal forces to acquire it. In addition to a generally increased security of the devices against attacks, the standardization of processes and technology makes it possible to have IoT devices checked and certified by independent third parties.
This creates increased trust of companies and customers in the technology and thus enables broader investments and innovations in an area that can offer the industry an enormous advantage. The intelligent networking of systems is the core of the desired ‘Industry 4.0’ and should be treated and protected accordingly.