Securing the IoT: A question of checks and balances

How EU agency ENISA is attempting to define requirements on securing IoT devices and avoid a 'nightmare'.
Written by Danny Palmer, Senior Writer

IoT devices are increasingly common in homes and workplaces, but there's no consensus on securing them properly.

Image: iStock

The rise of the Internet of Things (IoT) offers the prospect of fully connected offices and homes, enabling everything from security monitoring via internet-connected cameras to water and heating management via smart meters. You can even feed your pet remotely using an IoT device.

Such is the IoT boom that the number of devices deployed and used is set to overtake the world's population this year, with analysts forecasting that over 20 billion IoT devices will be in the wild by 2020.

But the desire to meet demand and ship new products has created problems, with reports of vulnerabilities in IoT products, including children's toys, light bulbs, routers and more.

Vendors are rushing products out without thinking about security implications, and as with smartphones, many users simply aren't aware of the security implications of the IoT -- if they even know the appliance they bought is connected to the internet in the first place. Clearly, IoT security is an issue that needs to be dealt with now, not further down the line.

The IoT future is now

"People still talk about IoT as if it's the future, which it isn't -- it's here and now. These devices are being rolled out in many different contexts by many different people in different conditions," said Steve Purser, Head of Core Operations Department at ENISA, the European Union agency for network and information security.

The agency is working alongside the private sector in order to establish a common policy framework for IoT security that reflects the concerns of the industry and provides a set of suggestions for policy makers. ENISA isn't shying away from the difficulty of the task at hand.

"There's a lot of work to be done in being vigilant and ensuring we minimise negative consequences" said Purser. "The challenges of IoT are as such that it significantly changes the scale of operations -- instead of talking about millions devices, we're talking billions of devices, it's huge." Purser also warned that, as the IoT sector continues to grow, "Time-scales are going to become much more rapid, time-to-market is going to be much shorter."

There's also the fundamental problem of how IoT devices are made and what can be built into them. Many will consist of a computer chip wired into an everyday device, and simply won't have the capacity to be locked down the way a PC can.

"IoT changes the opportunity risk equation: you can't have your cake and eat it too, so we shouldn't expect that we can secure IoT devices to the same level we secure PCs" said Purser, adding: "They're different sorts of things -- take a light bulb for example...how do you secure a light bulb?"

It's questions like this which ENISA is looking to answer with its policy framework, which is aiming to bring consensus on IoT development and deployment.

SCADA as a model

"If you look at things globally, the environment is very fragmented with lots of different people working on security. So the challenge is to come up with something everyone agrees on," Purser explained.

ENISA is doing this by speaking to players in both the public and private sector, finding consensus on the issues and developing technical solutions. Purser pointed to ENISA's SCADA framework for critical infrastructure and services as a successful model to follow.

"Where this worked well was SCADA. It was a fragmented environment to start with, but because we brought the players together, we've created momentum, reduced the fragmentation and got a bulk of material everyone agrees on," he said.

What also needs to be considered is that there isn't just one type of IoT device. Different types of products will be used in different industries, each with their own security considerations: requirements for IoT in the consumer sector will be less demanding than requirements for IoT in business, which in turn will be less demanding than IoT in the military.

"Let's start with defining clear requirements with classes of devices and classes of stakeholders. You need to check the economics of the thing: it's no good setting requirements which can't be met because devices cost too little to implement them. We need to make sure the economics are feasible and the products will still sell," said Purser.

There also need to be more guidelines on development of IoT code in order to ensure device security.

"What we suspect is happening is, because you get such a massive amount of development going on and it's all short term to meet market needs, that developers are downloading shareable code from websites on the internet and not checking it, or only checking it very quickly and then sharing it openly. This is not good for secure devices: we need better control and more checks on the software process," said Purser.

Self-checking IoT networks

There's also the potential for what some might see as an unlikely candidate for ensuring the security of the IoT: devices themselves working together as one.

"One idea which could be used in securing IoT is objects securing each other by devices checking on other devices," said Purser.

"Imagine the device is running a section of code; you could sign that code with a crytopgraphic key and then you can have the second device check and agree to the signature before connecting with the device," he explains.

Ultimately, this idea might see IoT devices checking on one another to determine that they haven't been hacked or infiltrated because "Single device security is going to be limited in this domain," as Purser put it.

So while the IoT does bring risks, it could play a big part in securing itself. In any case, ENISA is working to ensure that the threat is minimal and the IoT is safely available to all.

"It all depends on the checks and balances we put in place" Purser concluded. "If we use these wisely and put the right checks and balances in place it can be very positive; if we don't it could be a real nightmare."


Editorial standards