2 minute read
Executive Summary
The Internet of Things (IoT) is growing at a staggering rate. Gartner2 forecasts that the number of connected things in use globally will surge from 8.4 billion in 2017 to 20.4 billion by 2020, with total spending on endpoints and services exceeding $2 trillion3. IoT unlocks tremendous value for the individual, for organisations and for governments; however, it also presents enormous security challenges. The 2015 VTech data breach4, the Mirai botnet5 of 2016, and the recent Silex malware attack6 are some of the many incidents that have affected IoT in this early stage of its evolution. The potential of IoT will only be fully realised if cybersecurity and privacy are built in by design, and the following risks7 are addressed and mitigated: 1. Consumer privacy and safety are undermined by the vulnerability of individual devices, connectivity, and back-ends; and 2. The wider economy and critical infrastructures face an increasing threat of large-scale cyber-attacks launched from massive numbers of insecure IoT devices.
The International IoT Security Roundtables held in 2016, 2017 and 20188 by the Cyber Security Agency9 (CSA) of Singapore and the Ministry of Economic Affairs and Climate Policy (MEAC) of the Netherlands10, as well as this study of the IoT security landscape, provide input for global efforts towards creating a safe and secure cyberspace of things; a global approach is required since IoT security is not limited by national boundaries. These efforts shall lead to a global platform to share ideas and experiences, shape technologies and architectures, and drive standards and collaboration in creating a nextgeneration, inherently secure IoT ecosystem that upholds security and privacy expectations.
We identify and formulate the below problem statement based on our observations and the inputs of experts from CSA and MEAC as well as the Netherlands National Cyber Security Centre (NCSC)11 .
2 https://www.gartner.com/en 3 https://www.gartner.com/newsroom/id/3598917 4 https://www.vtech.com/en/press_release/2018/ faq-about-cyber-attack-on-vtech-learning-lodge/ 5 https://www.theverge.com/2016/10/21/13362354/ dyn-dns-ddos-attack-cause-outage-status-explained 6 https://www.trendmicro.com/vinfo/us/security/news/ cybercrime-and-digital-threats/-silex-malware-bricks-iot-devices-with-weakpasswords 7 Secure by Design: Improving the cyber security of consumer Internet of
Things. Policy report UK Government, March 2018. 8 https://www.sicw.sg/iot 9 https://www.csa.gov.sg/ 10 https://www.government.nl/ministries/ ministry-of-economic-affairs-and-climate-policy 11 https://english.ncsc.nl/
Vulnerable IoT devices are deployed fast, globally and with unknown lifespan, while a level playing field on common standards and technical solutions for cybersecurity in IoT is lacking for the industry. This creates safety, environmental and social hazards that are not well understood and likely to be unacceptable for society.
Using the problem statement as a starting point, this study identifies and discusses 11 interdependent IoT security challenges and presents findings and recommendations. We believe that addressing these challenges will allow IoT security to mature to a point where the IoT ecosystem can develop and flourish in a manner that is acceptable for society.
TACKLING THE CHALLENGES Many government agencies, academic institutes, industry alliances and individual vendors have made efforts towards tackling IoT security challenges; however, there is limited collaboration between these initiatives. Consequently, there exist hundreds of documents12 with significant duplications and possible contradictions. IoT product developers, and vendors involved in the IoT supply chain and life cycle, may find themselves overwhelmed – or they may take advantage of the lack of clarity to do nothing at all. There is an immediate need for harmonisation on security recommendations and guidelines as well as coordination on security assurances in the form of regulation and certification. Given the continuing exponential growth in the number of IoT devices, there is no time to lose.
12 https://www.enisa.europa.eu/publications/ baseline-security-recommendations-for-iot 9
