IoT device security challenges
Joe Lomako, Business Development Manager (IoT) at TÜV SÜD, explains how to identify cyber weaknesses and mitigate against them.
As devices, systems and processes become increasingly digitalised and interconnected, the Internet of Things (IoT) opens a wealth of opportunities for manufacturers and designers of products such as consumer electronics, connected wearables, home automation and connected health. However, these same technologies also present cyber weaknesses, as criminals seek out opportunities to hack into critical infrastructure. We are increasingly finding that there is sometimes a perception that because a system is complex that it is automatically secure. That is unfortunately not always the case.
A report from Make UK revealed that 60% of its members have been subject to a cyber security incident, almost a third of whom suffered some financial loss or disruption to business as a result. Forty-one percent of manufacturers went on to report that they have been asked by customers to demonstrate or guarantee the robustness of their cyber security processes.
Industry 4.0 (I4.0) systems include various components, such as cyber-physical systems, cloud computing, edge computing and Artificial Intelligence (AI). But, usually there is some physical component or sensor (usually many hundreds or thousands) which will be part of the system, often referred to generically as an IoT device. These components and sensors connect industrial systems to each other and are the interface to the outside world – continuously collecting data.
Although these components and sensors could be regarded as the strength of any given system, it is entirely possible that it could conversely also be its Achilles heel. According to a report from Kaspersky Lab earlier this year, half of all industrial control system networks have faced some form of cyber attack. Some connected devices lack the appropriate cyber robustness to prevent attacks and this, coupled with the fact that some control systems could be using outdated or bespoke operating systems or software, increases cyber attack vulnerability.
Setting the standard
The introduction of the NIS Directive (security of network & information systems) in Europe is intended to improve this situation, but uptake is slow, as is the introduction of the standards required to assist in improving cyber security. However, standards do exist or are being developed by international organisations aimed at providing baseline protection, which would help to deliver basic security provisions as a first line in cyber defence. Examples include, not having default passwords or ensuring that a device’s software can be updated ‘over the air’.
Globally accepted standards provide a basis for mutual understanding and create an effective medium for communication. If all stakeholders are working to the same standard, this promotes interactivity and interoperability. Standards in IoT though apply to many different areas and disciplines, but two important areas are protocols and security. The protocol standards are developed so that technologies from different manufactures can interoperate and communicate. For example, two Bluetooth headsets from different manufacturers can both communicate with ease to the same mobile handset because they have followed the same standards. Standardisation in cyber security sets a baseline for applying the same set of rules to determine a basic protection provision and a means of assessing threat resilience.
The European Union’s Cybersecurity Act - Regulation 2019/881 is already in place and has two main objectives. Firstly, strengthening the mandate of the EU Agency for Cybersecurity (ENISA), which contributes to cyber policy; enhances the trustworthiness of products, services, operational co-operation; and promotes knowledge. Secondly, it aims to establish an EU-wide cyber security framework.
As for impending legislation, in Europe it is likely that the product scopes relating to cyber security will be mandated in the Radio Equipment Directive. While this is currently being reviewed, the most likely approach will be to require that radio equipment incorporates safeguards that ensure the personal data and privacy of the user and subscriber are protected, and that radio equipment supports certain features ensuring protection from fraud. It would also mean that radio equipment would need to support features that ensure that software can only be loaded into the radio equipment once the compliance of the combination of the radio equipment and software has been demonstrated.
Two important documents that specifically relate to IoT devices are Guidelines document NIST.IR 8259 (US) and Draft Standard EN 303 645 (EU). The Draft EN 303 645 covers only consumer products, whereas the scope of NIST.IR 8259 is not confined to consumer products and its general principles can therefore be applied to help demonstrate a baseline of cyber security protection for any IoT product. So, it follows that it can also apply to I4.0 industrial products. California and Oregon have recently introduced legislation on IoT security, of which the NIST.IR 8259 could be used as a guide to demonstrating compliance.
The scope of the Draft EN 303 645 standard is aimed only at consumer IoT devices, so is not applicable for industrial products, although the general principles therein can certainly be applied generically to afford some modicum of protection as part of a tailored risk assessment.
Although legislation has yet to be introduced in Europe, assessment can still be performed using the Draft EN 303 645 standard. An accompanying document, TS 103 701, is also in development and expands on the test methodology to be used. These are by no means complete and could be changed or even replaced as legislation is implemented, but they are certainly an excellent starting point to help manufacturers prepare for impending legislation.
As the UK leaves the EU, it is preparing legislation that is presently being reviewed after a recent public consultation. It is very possible this could be mandatory within the next six to 12 months. The actual security requirements being considered are derived from the EN 303 645 standard but initially are limited to three security requirements:
- A ban on universal default passwords in consumer smart products.
- The implementation of means to manage reports of vulnerabilities.
- Transparency as to how long a product will receive security updates.
However, the Government has noted that they may introduce further requirements at a later date if required.
There are other existing standards which are aimed at improving security from network infrastructure to devices. For example, it is possible that an industrial IoT device could be certified under the IEC 62443 series of standards, as part of a larger installation. This standard series addresses security for industrial automation and control systems (IACS). While it has a mix of process, quality and technical requirements, this standard series is generally applied to systems rather than individual products.
Although it may seem that the standards do not cover everything, they do at least offer that first line of defence. However, manufacturers should also consider their own cyber security programmes as there are other options outside the present standards landscape. This includes more stringent, bespoke testing or ‘penetration testing’, which could identify deeper and more serious threats to a machine and the IoT system within which it sits or is supported. It is also vital to think ‘secure by design’ from the onset and take a proactive approach to cyber security by recognising that attacks are ‘when, not if’.
Threat resilience should also be an iterative task. Not all threats may have been discovered during the first assessment. It is therefore very important to ensure up to date compliance with all standards and constantly review your ‘cyber resistance’ status.
As Industry 4.0 and the IoT advance, systems and installations will become increasingly interconnected on a global scale. While digitisation and the increasing connectivity provided by the IoT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cyber crime. Both industrial IT security and the security of wireless products that manufacturers produce will therefore become increasingly important.
Ongoing investment in cyber security is crucial to keep up with technological development, as cyber criminals rapidly develop new forms of attack to hack into critical IT infrastructure. Tackling the problems of cyber security risks can therefore only be realised by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence. Remember, as mentioned earlier, cyber attacks in the IoT are a case of ‘when, not if’, so manufacturers should ensure that they are fully up to date with compliance requirements and constantly review the ‘cyber resistance’ status of their systems. We often hear of devices being hacked and hijacked within minutes of connection to the internet.
There is some debate within industry that the present cyber security standards are lacking in detail and do not adequately cover the scope of typical industrial applications. While this may be true, they at least offer some guidance where nothing previously existed. Tackling the problems of cyber security risks can only really be realised by comprehensive planning, periodic evaluation, updates and monitoring. This must be done continuously, from design through to obsolescence.
Sadly, at the present moment in time, there needs to be more traction in device and component cyber assessment and it would be prudent for any integrator or end-user to ask their supplier what level of cyber assessment has been performed and to prove its cyber attack resilience.