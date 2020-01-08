On 19 November 2019, the European Union Agency for Network and
Information Security (ENISA) released its report 'Good
practices for security of Internet of Things (IoT)' (Report),
providing a comprehensive analysis of security concerns surrounding
IoT, secure Software Development Life Cycle (sSDLC) principles, and
setting out best practices. Below, we highlight some of the key
points. The Report can be read in full here.
Background
IoT refers to a network of internet-connected devices, ranging
from microwaves to phones to smart homes. ENISA is tasked with
improving the resilience of Europe's critical information
infrastructure and networks, and the Report focuses on establishing
good practices for securing the IoT software development process.
As a precursor to the Report, in 2017, ENISA released its study
'Baseline Security Recommendations for IoT' (here).
Highlights from the report
The Report is intended to cover the entire IoT ecosystem, and
will be pertinent to software developers, platform developers and
users, and IoT integrators. A comprehensive set of security
concerns has been identified, classifying key threats into the
following categories: 'personnel', 'outages',
unintentional damages', 'physical attack',
'legal', 'failures/malfunctions' and 'nefarious
activity/abuse'. Scenarios include:
Insecure credentials in embedded
devices – users may choose default or create insecure
credentials that could be picked up by attackers when using online
resources to scan for exposed devices. A lack of strong
authentication mechanisms can lead to users being frustrated with
the process of setting credentials, and so result in insecure
credentials. This is an area easily susceptible to
phishing/hacks.
Rigid communication protocols –
software-based interfaces can be rather inflexible when it comes to
their communication functionalities, typically at the software
development phase. Where inflexible communication protocols prevent
users from applying additional security measures, this may lead to
incompatibility and create a security gap, making the interfaces
vulnerable to 'man-in-the-middle' attacks.
Insecure software dependencies in
cloud services – dependencies already available to developers
are commonly used to provide functionalities to software, thereby
saving a lot of development time. Such dependencies may not be
constantly updated or checked for potential vulnerabilities, and so
attackers may exploit these outdated components.
With these in mind, the Report sets out the following
recommendations and good practices:
Security by design
– Parties should adopt a "consistent and holistic
approach during [the IoT system's] whole lifecycle across all
levels of device/application design and development, integrating
security throughout the development, manufacture, and
deployment" (GP-PS-01); integrate different security policies
(GP-PS-02); and ensure IoT hardware manufacturers/software
developers implement test plans and penetration tests
(GP-PS-06).
Development of security
measures for IoT sSDLC: 'people',
'processes', and 'technologies' –
People: Training and
awareness (promoting security awareness at all organisation levels,
allocating resources to stay up to date with security topics,
etc.); establishing a security culture (defining security roles and
privileges, separating duties, monitoring/responding to security
incidents, etc.).
Processes:
Third-party and operations management; sSDLC methodology
(establishing a control access and authorisation policy, defining
security metrics, adopting maturity models, etc.); secure
deployment (implementing disposal and testing strategies, etc.);
and security design (risk assessment, threat modelling, etc.).
Technologies: Access
controls (e.g., ensuring secure storage of users' credentials);
third-party software (using up-to-date patches for components);
secure communications and codes (e.g., proven encryption
techniques, web interfaces, and session management); sSDLC
infrastructure (secure logging and implementing white lists); and
conducting security reviews and setting up contingency plans,
etc.
Comment
The extensive measures proposed in the Report serve as helpful
guidance for all parties and stakeholders involved in the entire
lifecycle of IoT. Software developers and IoT integrators need to
work together with senior management to ensure proper frameworks
are in place. As more devices become IoT-enabled, threats to
cybersecurity will increase. Organisations that can demonstrate
compliance with the recommendations in the Report can benefit if
they are scrutinised by regulators in the future.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
