IT security in the Internet of Things
Every year, the Internet is growing by billions of devices. We are not just connecting people anymore but more and more machines are communicating over a single, global network. Yet in this rush to connect everybody and everything we pay little attention to the safety and security of our new networked world. How should we think about IT security in a world in which billions of devices are connected to a single, global network? With the Internet of Things, for the first time, it’s not just our data that’s at risk but there is the potential for direct physical harm.
Especially when looking at smart home products, the market consistently fails to produce reasonably secure and trustworthy devices. Right now manufacturers of smart home devices have almost no economic incentive to implement secure software development processes or at least follow IT security best practices. Thus, routers, digital video recorders, webcams and smart TVs are easily hacked by criminals and become part of large botnets of hundreds of thousands of devices. These botnets are then used to attack websites, company servers or even critical Internet infrastructure. Only in recent years did governments pay attention to this new threat of our fully networked society.
The project IT Security in the Internet of Things analyses and develops economic incentives for IoT manufacturers to implement secure software development processes and follow Security-by-Design principles. To this end different policy tools such as extended product liability, voluntary consumer labels or mandatory baseline requirements as market barrier are analysed and discussed in multi-stakeholder, expert workshops. In these workshops participants from academia, private companies, ministries and civil society critically discuss the problem analysis, brainstorm ideas how to improve the current status quo and critically assess the effectiveness of policy proposals. All workshops are held under the Chatham House Rule. These workshops, expert interviews and desk research are the basis for the project’s policy papers.
Workshop #1 ─ IT security in the Internet of Things (DE)
20th September 2016
The first workshop in the series focused on the central challenges regarding IT security in the Internet of Things. In two brainstorming sessions the participants were asked to first identify key challenges of IoT security in the next 5-10 years. Afterwards those challenges were ranked based on “Urgency” and “Potential Policy Impact”.
Workshop #2 ─ IoT security through mandatory baseline requirements? (DE)
14th December 2016
Participants of the second workshop discussed if and how mandatory baseline requirements as a market barrier could improve IoT security. The group identified key challenges of implementing baseline requirements such as enforcement / security assessment or if one needs to differentiate between industrial IoT and consumer IoT.
Workshop #3 ─ IoT security during the lifetime of a smart product (DE)
17th May 2017
The third workshop focused on the constantly growing gap between the lifetime of a product and software support time: On average a fridge is used for more than a decade. A “smart” fridge would need to receive software updates for more than a decade. How can this be achieved and what does this mean for manufacturers of smart household appliances regarding legacy support?
No workshop proceedings available.
Workshop #4 ─ EU’s Cybersecurity Certification Scheme (EN)
11th October 2017
In the fourth workshop, participants discussed the European Commission’s proposal for a Cybersecurity Certification Scheme. (Cybersecurity Package COM(2017)477) During two brainstorming sessions, the participants first identified key aspects of an efficient and effective IT security assessment ecosystem. Based on these findings the EU Commission’s proposed certification scheme was then analysed and the participants identified central shortcomings and potential challenges.
Workshop #5 ─ IoT-Security and Market Surveillance (EN)
29th of May 2018
The participants from academia, civil society, private companies and ministries discussed new necessary information flows to improve market surveillance of IT security based on the proposed NLF approach of the EU Cybersecurity Act. Key question was, how to better involve independent individuals like hackers or security researchers after they found a security vulnerability in an off-the-shelf consumer IoT device. The participants furthermore discussed potentials of a product database to track IT security relevant information. The workshop was conducted under Chatham House Rule.