IoT ecosystem needs to be investigated, say experts

The entire internet of things (IoT) ecosystem needs to be looked into, according to experts meeting in The Hague at a two-day conference to address IoT security vulnerabilities to ensure the techology’s benefits are realised.

The conference was convened by the European Union’s (EU’s) cyber security agency Enisa and policing agency Europol, bringing together 300 experts from the private sector, security community, law enforcement, the European Computer Security Incident Response Teams (CSIRTs) community and academia.

In addition to examining the IoT ecosystem, the conference made several other key recommendations, including that holistic, pragmatic, practical and economically viable security systems need to be promoted.

The experts said security should not be an afterthought when designing systems – and IoT systems are no exception.

However, they said implementing security does not need to be complicated, as outlined by Enisa’s baseline security recommendations for IoT, which manufacturers and users of IoT devices and systems can use as a checklist against which to assess their IoT security systems.

The UK government has also recently published a voluntary code of practice (CoP) to help manufacturers boost the security of IoT devices.

The UK government has also published a mapping document for existing standards and regulation to make it easier for other manufacturers to identify what they need to do to implement the CoP.

Attendees of the The Hague conference also agreed that law enforcement needs to be in a position to go beyond defence and incident response by being able to investigate and prosecute the criminals abusing connected devices. They added that there is a need to discuss digital forensics in regard to IoT and the importance of data and privacy protection, considering the amount and different categories of data collected by the IoT.

Europol said the conference is an excellent example of much-needed multi-disciplinary dialogues, adding that it is working closely with Enisa to inform key stakeholders of the need to be aware of the cyber security and criminal aspects associated with deploying and using these devices.

The conference noted that the IoT has great potential and provides tremendous opportunities to improve the way people interact, do business and go about their daily lives, underlining the importance of addressing security vulnerabilities in these devices.

Enisa announced that it is working on an automotive IoT case study and welcomes the active support of all partners.

Steve Purser, head of Enisa’s core operations department, said it is important and essential to collaborate because cyber security is a shared responsibility and that is ever more true in the IoT domain.

“This joint conference is an excellent example of these much-needed multi-disciplinary dialogues. The benefits and opportunities that IoT brings are numerous and of paramount significance for the entire society,” said Purser.

“It is our duty to ensure that this is done in a secure, safe and reliable manner. IoT security is a prerequisite for a secure and safe connected digital society. The time to act for IoT security is now. I welcome the collaboration with Europol, and I am confident that such joint efforts are contributing to ensuring IoT security for all.”　

Europol’s deputy executive director of operations, Wil van Gemert, said law enforcement must have the tools, skills and expertise to investigate the criminal abuse of the IoT.

“We have a leading role, together with our partners, to go beyond increasing cyber security and resilience of the IoT as we can make a specific contribution in terms of deterrence,” he said.

The complexity of IoT and its resulting cyber security challenges, said Van Gemert, call for a holistic, smart and agile approach.

“As IoT is now a present reality as opposed to a futuristic concept, the necessity to have this multi-stakeholder conference to put cyber security at the heart of the IoT ecosystem is self-evident,” he said.

Europol noted that IoT has many advantages for law enforcement as a new tool to fight crime, with police are already using connected devices such as smart cameras for major events and to fight robberies and home burglaries, bodycams to raise situational awareness, sensors in firearms to track when and how often it is used.

According to Europol, it is important that law enforcement also invest in the safety and security of its IoT-connected devices to protect the privacy of the citizens it works for.

Crime scenes are changing because of the IoT, the police agency noted, adding that data from connected doorbells, cameras, thermostats, fridges, for example, can provide useful and crucial evidence.

The necessary forensic techniques and training will need to be used to safeguard this data, said Europol.

Big data collected by IoT devices for facial recognition from camera images after a major incident, for example, will become an integral part of a criminal investigation, but also require the necessary means to protect the privacy of citizens, the police agency said.