IoT devices: never trust, always verify

Antonio Bagiolini, Business Line Manager - ICT at TÜV Italia, explains the current standards used in the IoT field and suggests how to protect connected objects.

104
IoT_TUV

by Antonio Bagiolini | Business Line Manager - ICT of TÜV Italy

The Internet of Things (IoT) encompasses a wide range of interconnected, Internet-connected devices that can collect and transfer data over the network without human intervention. As the world becomes increasingly connected through the Internet, and the demand for smart technologies increases, the cost of manufacturing products with Wi-Fi connectivity and embedded sensors has become more competitive due to their mass production.

The increase in the use of smart technologies leads to greater convenience for today's consumer, but this also opens the door to cyber security threats. Reports of cyber breaches are on the rise, as each network has the same level of security as the least secure device within it, and the responsibility for upholding the security standards of connected devices falls on manufacturers.

The importance of ensuring security in the consumer-IOT sector

Consumer IoT refers to all those personal devices, such as smartphones and wearables, and to the ever-increasing number of 'smart' home devices, connected to the Internet, that collect, exchange and communicate data with each other. It is estimated that there will be 130 billion networked devices by 2030, compared to 25 billion connected devices in 2017. In fact, on average, it is expected that each person will manage 15 devices.
The evolution of personal IoT devices is driven by our desire for constant entertainment, instant connection to resources and continuous support. The barriers between digital and physical are being broken down by integrated and intuitive devices, true interfaces that allow people to move and navigate in a hyper-connected world.

Increased circulation of data necessarily brings with it increased opportunities for data loss or unavailability. The benefits of the Internet of Things can only be achieved if security and privacy requirements are taken into account in the design of products and services, increasing consumer confidence in their use.
People entrust their personal data to an increasing number of online devices and services. Poorly secured products not only threaten consumers' privacy, but can also be used by criminals to launch large-scale distributed denial of service (DDoS) cyber attacks.

The regulatory standard and advice from TÜV Italy

The Technical Committee for Information Security of theETSI (European Telecommunications Standards Institute) has publishedETSI TS 103 645, the security standard for consumer IoT products. The document contains recommendations for manufacturers and developers of networkable devices (better known as IoT products) intended for the general public (smart TVs, smartwatches, smart cameras, home automation systems, etc.) and now widespread in every social and productive environment. The aim is to contribute to increasing the security of IoT devices, so as to increase consumer confidence in parallel. The document focuses on the most relevant technical and organisational controls to address significant and widespread security gaps.

The new security rules affect a wide range of IoT devices: security products such as smoke detectors and door locks, smart cameras, televisions and speakers, wearable medical devices, home automation and alarm systems, and household appliances (e.g. washing machines and refrigerators).

The standard recommends, for example, that devices should not be placed on the market with a default username and password (admin; admin) and that contact points should be identified to which new product vulnerabilities can be reported.

Other good practices and recommendations to follow may be:

  • The constant release of updates and security patches;
  • The use of secure communication channels;
  • The secure storage of access credentials;
  • Minimising the possible 'attack surface' of devices;
  • The software integrity guarantee;
  • The resilience of IoT systems to cyber attacks;
  • Easy and intuitive deletion of users' personal data;
  • Simplified installation and maintenance of devices.

It is important to remember 'Never trust, always verify'. It is essential to have a model that relies on other network security methodologies, such as strict access controls, network segmentation and the definition of a 'protected surface' that includes data, resources, applications and services critical to the core business.


You might also be interested in:

TÜV Italia has a new testing laboratory in the Turin area

 

Previous articlePhoenix Contact invites you to a solidarity Christmas for Amref
Next articleFAIRS | Embedded World postponed to June

LEAVE A COMMENT

Please enter your comment!
Please enter your name here