Products connected to the Internet of Things should meet a minimum defined level of security and should be labeled accordingly to promote consumer trust, according to the European Union Agency for Network and Information Security (ENISA). The agency worked with Infineon, NXP, and STMicroelectronics to produce a position paper that reflects the European semiconductor industry’s IoT security concerns and provides guidelines for policymakers.
The paper warns of a current “market failure” for cybersecurity and privacy: Incorporating security measures increases cost, but buyers are reluctant to pay more for solutions with added security. There is thus “no basic level, no zero level defined for the security and privacy of connected and smart devices,” the authors state.
“The past and current attitude of the private sector is mitigated, but weighs more strongly against including security in IoT devices,” said Michela Menting, digital security research director at ABI Research. “This is because security is seen as costly, and lengthens time-to-market. The argument there is often one of stifling innovation, especially if standards become regulatory requirements, and impeding market growth.”
Menting says this attitude may be softening.
“With cybercrime rising quickly in the IoT domain (i.e. WannaCry and Mirai) having affected some control systems, there is mounting realization that no-security will be just as costly, and could be reputationally damaging as well,” she said. “The attitude is slowly swaying the way of security, but at a terribly slow pace.”
The EU already has several projects in the IoT security space, including the Alliance for the Internet of Things Innovation (AIOTI) who are putting together baseline requirements for security and privacy, and a proposed IoT security trust label similar to current energy efficiency ratings for appliances (ratings from A to D), which is under discussion.
“The forthcoming GDPR [General Data Protection Regulation] and NIS [Network Information Security] directives will also have a significant impact,” Menting said. “Data coming out from connected IoT devices, which might be deemed personal, will need to be protected according to the GDPR, and critical infrastructure operators that are deploying connected industrial control systems will also need to make sure that they have adequate security measures in place, not just critical safety ones.”
The new ENISA position paper urges the European Commission to ensure minimal security requirements for connected devices. It recommends establishing baseline requirements for security and privacy that would set reference levels for trusted IoT solutions depending on the complexity of the device. A third party should evaluate and certify devices, and those that meet the required security level should be identified with an EU Trust Label, the paper suggests.
“Ideally, the use of the label should be mandatory as a symbol of trust for citizens, consumers and businesses in the connected world,” the paper states. “An obligatory reference framework and an associated label would ensure appropriate levels of security for products and services. This would further lead to a level playing field for the entire industry.”
Another priority should be the development of reliable security processes and services, such as providing small and medium enterprises (SMEs) with information and training on security solutions, according to the paper.
The authors also outline the need for future revisions of the security requirements that would step them up in stages beyond the baseline level. To address the economic challenges of adding security to products, they suggest incentives such as the inclusion of a “Digital Security Bonus” in insurance policies, as well as penalties “for dealing with vendors of security products and services that abuse established practices.”