506,472 active members
4,209 visitors online
Register for free
Login Register
WIBU-SYSTEMS Blog

A Holistic Approach to IoT Security

February 2019
05
Author: Wibu-Systems
Company: WIBU-SYSTEMS AG
A Holistic Approach to IoT Security

Is it possible to introduce an IoT device that can authenticate its user, can encrypt and decrypt transmitted and received data, and deliver or verify the proof of integrity, yet still be considered an insecure device?

Yes, says the European Union Agency for Network and Information Security (ENISA) in their IoT Security Standards Gap Analysis: Mapping of existing standards against requirements on security and privacy in the area of IoT. The organization is focused on developing advice and recommendations on best practices in IoT information security.

In their study released in December 2018, the organization found that there are no significant standards gaps for IoT security protocols – every requirement can be met by an existing standard which exists for the many different elements of making a device, service or system secure. However, IoT actually refers to a complete ecosystem of more than just devices and services, and one in which scalability and interoperability considerably complicate the environment. Therefore, if the security protocols inherent in the device or service are not considered holistically, it is possible to deliver an insecure device to the market, even if it meets all of the existing individual security standards.

As the analysis suggests, a gap in standards exists only insofar as it is unclear what combination of standards, when applied to a product, service or system, will result in a recognizably secure IoT. The challenge for regulators and suppliers, of course, is to bring only secure IoT devices to the market and this requires a different approach, which will have to be flexible enough to accommodate for the nature of the dynamic IoT ecosystem.

The primary conclusion of the study is that standards are essential but not sufficient to ensure open access to markets. In the particular case of security, a large number of processes as well as technical standards have to be in place to ensure that any device placed on the market is assuredly secure.

Whereas a checklist of IoT security requirements and its mapping to specific standards can serve as a springboard towards holistic and effective IoT security, the report notes that the complexity of the IoT ecosystem calls for more flexible approaches. Not only are the underlying technological challenges calling for adaptive, context- and risk-based solutions, but also the IoT market constraints have to be taken into account, so as not to hamper competitiveness and innovation.

Ultimately, the processes recommended in the analysis are intended in part to engender a change in attitude towards device security by making secure IoT the only form of IoT that reaches the market and to give confidence to the market through a combination of certification, assurance testing & validation, and market surveillance.

If you are involved with implementing secure IoT devices, products and services, I think you will find this investigation to be interesting reading. The complete report is available for download by ENISA.

Blog Archiv

October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
October 2016
September 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016