IoT and Security: Europe’s Perspective

Europol and the European Union Agency for Network and Information Security (ENISA) held a two-day conference earlier his month on Internet of Things security. More than 250 participants from the private sector, security community, law enforcement, the European Computer Security Incident Response Teams (CSIRT) community and academia attended.

In a press release recapping the conference, ENISA said, “It is important to understand how these connected devices need to be secured and to develop and implement adequate security measures to protect the Internet of Things from cyber threats.”

The main conclusions of the conference are:

  • The need for more cooperation and multi-stakeholder engagement to address interoperability, as well as security and safety issues especially in light of emerging developments like industry 4.0, autonomous vehicles, and the advent of 5G.
  • As securing the end device is often technically difficult and expensive to achieve, the focus should therefore be on securing the architecture and underlying infrastructure, creating trust and security across different networks and domains.
  • There is a need to create stronger incentives to address the security issues related to the IoT. This requires achieving an optimal balance between opportunity and risk in a market where high scalability and short time-to-market dominate, positioning security as a distinctive commercial advantage and putting it at the heart of the design and development process. To effectively and efficiently investigate the criminal abuse of the IoT, deterrence is another dimension that needs strong cooperation between law enforcement, the CSIRT community, the security community as well as the judiciary.
  • This creates an urgent need for law enforcement to develop the technical skills and expertise to fight IoT-related cybercrime successfully. These efforts need to be complemented by raising end users’ awareness of the security risks of IoT devices.
  • Leveraging existing initiatives and frameworks, a multi-pronged approach combining and complementing actions at legislation, regulation and policy, standardization, certification/labeling and technical level is required to secure the IoT ecosystem.
  • One of the key observations of the conference is the importance of baseline good practices in addressing these IoT security challenges. In the coming months ENISA will publish its “Baseline Security Recommendations for IoT” report, bridging the gap in the area.

In Spring 2017, ENISA joined forces with several European semiconductor vendors to come up with baseline requirements for security and privacy in IoT devices. In its recommendations to the European Commission, it also recommended the creation of a “trust label” for devices adhering to the recommended security standards.

Find out more, here.