Security in the IoT - a challenge

The Internet of Things (IoT) is not a new paradigm - it was first defined by Kevin Ashton in 1999 when he explained the various possibilities of RFID (radio-frequency identification) in supply chain management. However, the rapid development of information and communications technology (ICT), as well as digitization and globalization, have taken the IoT, mutatis mutandis, to an unprecedented level of interconnectedness. Yesterday, the IoT was still a technical and isolated concept, it is now a complex, societal one, cross-sector and ubiquitous trend on which society increasingly relies. With exponential growth, devices are connected to the Internet or embedded in the social fabric; this ranges from consumer IoT to industrial systems and critical infrastructures such as webcams, network-attached storage and modems, operational technologies such as SCADA systems and satellites.

IoT has already transformed numerous sectors and areas

Every sector of the economy benefits from IoT. For risk management, IoT can make a critical difference for the following reasons: First, IoT generates a huge amount of data that can be used before, during and after an incident to send detailed and reliable information about the process status of infrastructures to the right service, which can prevent the entire system from malfunctioning. During an incident, IoT ecosystems can provide valuable first-hand information to emergency services at the tactical and operational levels. This current state information creates a better picture of the situation and can support crisis management during and after the incident. Using Big Data analytics, IoT ecosystems can also be combined with crisis mapping processes to acquire targeted information and scenarios to improve preparedness.

Second, drones, sensors, actuators, satellites, and remotely operated demining devices have two things in common: they can be considered IoT devices as well as deployed in inaccessible or insecure areas to provide information about the state of affairs on the ground.

Third, IoT ecosystems can improve the automation of industrial systems and other repetitive processes in critical infrastructure, reducing the risks associated with human error and improving safety while reducing costs.

IoT ecosystems are leading to growing interdependencies between all sectors of society, especially between industrial sectors, critical and very critical infrastructures. Forecasts predict that the total number of connected devices will grow to 75.44 billion by 2025. The IoT is a trend to be taken seriously, as it represents both a systemic opportunity and a risk.

On the one hand, the IoT creates high business value due to the numerous benefits it can bring to society. The IoT also increases connectivity, data collection and analysis (Big Data), and automation and control (unmanned systems). This represents great potential for improving risk management, which can increase safety and generate revenue and save costs.

Conflict of objectives between costs and safety 

But even if the positive effects of the Internet of Things are far-reaching, its disadvantages should not be underestimated. Due to a lack of regulation, industry often invests in measures with a direct return on investment, while safety and security measures and lifecycle management are often disregarded. Consequently, the number of poorly secured and unprotected IoT devices deployed in society has risen to an alarming number. This was demonstrated by the October 2016 DDoS attack on the Mirai IoT botnet: The incident, if successful, could have caused widespread Internet outages across Europe.

Regulation, standardization and certification of the IoT is immature even today. Indeed, there are no universally accepted standards. Few countries are integrating the IoT into their national cybersecurity or cyberdefense strategies, and there are no mandatory or legally binding regulations at either the national or international level. The UK is the only nation to have issued a collection of "codes of conduct" related to the IoT. At the international level, Enisa, ITU as well as NATO have published some recommendations on IoT. The most legally binding regulation related to IoT is the Nato Standardization Agreement, which, however, does not focus exclusively on IoT. Consequently, it seems clear that regulation is necessary, especially with regard to industrial systems and critical infrastructures, to ensure the security, protection and liability of IoT ecosystems.

Design, production processes and life cycle management

Poor regulation and the trade-off between cost and security of IoT have led to unsafe and unprotected design and production practices and poor lifecycle management, among other issues. This raises the following questions: First, are legacy IoT ecosystems compatible with modern IT systems, and if so, how long before they become obsolete?

Indeed, due to insufficient lifecycle management, it is difficult to predict exactly how long an IoT device can be used without malfunctioning. Second, if an IoT device needs to be replaced, who is responsible for the replacement and who bears the additional financial costs? Will the replaced IoT device be as safe as the older one? What about its lifespan?

These issues are particularly central with regard to industrial systems and critical infrastructures, which use numerous IoT devices and cannot afford any failures and must be operational at all times.

Hacker attacks 

The attack on Mirai is only the most well-known - but the trend shows that IoT attacks have increased sharply since 2016. In January 2019, the Japanese government therefore decided to test all IoT devices present on Japanese soil - this in particular to secure the 2020 Summer Olympics in Tokyo, which were recently postponed to 2021. Indeed, IoT devices can be misused in different ways and for different purposes: Espionage, disruption, crime, hacktivism, etc. Since IoT devices are already present in all critical infrastructures, IoT ecosystems, if not properly secured, potentially represent an entry point for criminal and dangerous activities, and thus a systemic vulnerability.

Malfunctions and obsolescence 

The above-mentioned insufficient lifecycle management of the IoT can lead to connected devices, sensors or actuators failing and sending incorrect information or no information at all. This is unacceptable, especially in the context of population protection and with regard to critical infrastructures, and can have momentous consequences. To illustrate: What would be the consequences if the receiver installed between the rails of the European Train Control System 2 (ETCS 2), which is also used in Switzerland, does not function properly and transmits the wrong information to the train?

Trustworthiness of the IoT

The trustworthiness of IoT devices is closely linked to their design, lifecycle management, and production processes: An IoT ecosystem is considered trustworthy when it and its devices are designed and manufactured to be secure-by-design and their lifecycle management is focused on safety and security. However, due to a lack of regulation and for the reasons already mentioned, this ideal case is non-existent today. Risk management must therefore address the fact that almost all deployed IoT devices are potentially untrusted.

Lack of awareness and knowledge about the IoT 

First, the competitive market and rapid development of ICT are forcing IoT industries to diversify and innovate. The problem is that companies often lack the knowledge and experience to manufacture secure IoT devices. This is especially the case when established companies enter the IoT market for the first time (e.g., semi-automated cars, connected refrigerators, etc.).

Second, the lack of contextual awareness about the deployed IoT devices can lead to systemic malfunctions or exploitation of contextual vulnerabilities. Deploying a network of IoT devices in a home, hospital, factory, or national power grid requires different security considerations.

Contextualization is of great importance for understanding the specific threats and vulnerabilities affecting each IoT ecosystem. For example, the canton of Basel-Stadt decided to buy new police patrol cars and chose Tesla hyper-connected cars.

However, Tesla was then able to access almost all of the police cars' information - including geo-tracking, engine condition, video cameras, etc. This serious data integrity flaw is mainly due to the lack of awareness and contextualization of the person responsible for this purchase.

Switzerland: Impact on risk management

Its location in the center of Western Europe means that Switzerland is a central hub for various critical areas: gas transport (Marseille-Cressier-Rotterdam pipeline), power grid, goods transport, etc. Due to these systemic dependencies, a failure of critical infrastructure in Switzerland could potentially lead to a domino effect throughout Western Europe. For this reason, the use of IoT devices in Swiss infrastructures should not be treated lightly. The priority should be to regulate IoT first and foremost, especially since there are no standards or regulations in this area in Switzerland to date. At best, there are recommendations emanating from the Reporting and Analysis Center for Information Assurance (Melani) and Prophylax, a prevention and awareness program of the Federal Intelligence Service. However, these recommendations are mostly directed at consumers and not at manufacturers, vendors, or service providers. To underscore the urgency of regulating cyber traffic in Switzerland, this area should be better integrated into Switzerland's cybersecurity strategy. In addition, standardization and regulation raises the following question: should Switzerland follow the barely existing IoT regulation and thus increase its interoperability with surrounding countries? Or should Switzerland develop its own standards and regulations and thus increase its sovereignty?

Author

Alice Crelier, Researcher, Cyber Defense Project, Risk and Resilience Research Team, Center for Security Studies (CSS), ETH Zurich