Anastasiya Kazakova
CEO Projects Coordinator
In November 2017, ENISA, the EU cybersecurity agency, published its new report on the Baseline Security Recommendation for IoT in the context of Critical Information Infrastructures. The main purpose of the report was to define security requirements for IoT, accounting for the complexity of critical assets, current cyber threats, and existing best practices applied for protection of such systems.
Kaspersky is a member of ENISA IoT Security Experts Group (IoTSEC) and, we were invited, among other members, to take part in drafting the report by providing our insights on the nature of the problem.
We presented on two categories of potential security measures – one group for EU policy-makers and the other for IoT hardware manufacturers and IoT software developers.
To the EU institutions, we recommend a number of action steps, namely:
- to focus on sector-specific recommendations, guidelines and certification requirements as a highly centralized and holistic approach/regulation will not be able to meet all technology needs and specifics of IoT and, hence, will create additional burden on industry (especially SME), leading to increasing costs of devices and technologies without proper security;
- to harmonize and deliver EU-wide IoT terminology and taxonomy, which will be aligned with international cybersecurity standards and norms. Such an approach will provide a common language for all and help to avoid overregulation.
- to actively cooperate with industry and involve the private sector in policy-making through existing platforms such as the Alliance for the Internet of Things Innovation (AIOTI). IoT standards requirements should сonsider industry’s needs and expert advice. At the same time, information sharing processes should be also beneficial for both sides as industry works to coordinate vulnerability disclosures and addresses insecure design. Thus, a jointly created information sharing point which provides participating stakeholders with privileged access to high-quality, actionable, and timely threat data will meet everyone’s interests;
- to establish a layered defence system against cybersecurity threats meaning that such protection mechanisms and tools for IoT have to be developed in accordance with the complexity of both IoT devices (from lightweight IoT consumer devices to deeply integrated IIoT systems) and cyber threats.
Analyzing the problem more deeply, we also prepared recommendations for those who are directly involved in work with IoT systems. Our perspective involves a maturity model for IoT management as Kaspersky experts focus on all parts of this multifaceted process.
First and foremost, it is crucial to ensure that all cybersecurity roles and responsibilities are clearly delineated to ensure that personnel assignments to account for specific IoT projects and their security engineering needs. What is more, organizations should strive to achieve even greater levels of cyber hygiene by engaging in continuous security awareness trainings with their staffs. Therefore, security quality management and procedures as well as quality assurance evaluation process will cover the first layer of IoT security.
Secondly, it is necessary to ensure data interoperability with a reliable and automatic patching system. Security of the connected networks (intranet) should be in place as well. Security configuration management data has to be captured and stored appropriately. Furthermore, IoT hardware manufacturers and IoT software developers need to adopt cyber supply chain risk management policies and to communicate cyber security requirements to their suppliers and partners.
And finally, a deployment plan with a detailed description of the environment in which the software operates will help to effectively handle vulnerabilities or security and product upgrades. For an IoT software developer, it is also important to conduct a code review during the design phase in order to reduce potential vulnerabilities in the final version of a product. Leveraging security best practices, like penetration tests, to verify whether a product functions as intended are necessary to help identify malformed input handling and authentication bypass attempts.
We were happy to see that ENISA considered and included most of our comments in the final version of the report. In particular, ENISA recommends to define secure software/hardware development lifecycle guidelines for IoT; to achieve consensus for interoperability across the IoT ecosystem and to establish secure IoT product/service lifecycle management.