IT security in the Internet of Things
The project investigates two separate but related questions. First, how can we build and operate trustworthy and resilient mobile communication networks (5G) for our society and industry? Our first hypothesis on this issue is: This is a shared responsibility between equipment vendors, network operators and national authorities. They should address risk mitigation on four different levels – standards, implementation, configuration and processes. Our second hypothesis states that it matters where technology was built/developed and the rule of law should be taken into account when assessing the risk of a particular vendor. This leads to a variety of relevant questions:
- How can a "trustworthy" vendor be defined and assessed?
- What are strategies to mitigate the risk of network sabotage and disruption of communication?
- Is it possible to build trustworthy and resilient networks based on untrustworthy network equipment?
- How can we establish and share best practices between European mobile network operators about secure and resilient network configurations?
The second major issue this project deals with is how do global semiconductor supply chains work and which role does Europe play in those? Semiconductors such as processors or memory chips are the basis of many emerging technologies and products, but they are designed and manufactured in very similar ways, maybe even within the same factory. The semiconductor supply chain is highly innovative, specialized and truly global. The project analyzes those supply chains from a national security perspective and through the lens of technological dependency. How comfortable is Europe to be increasingly dependent on semiconductors originating from a country that we perceive as a "systemic rival"? How can we assess those dependencies and which implications do they have on industrial policy?
- Who are the dominant players in certain technologies?
- In which semiconductor fields is Europe highly dependent on foreign actors and does this create economic pressure points to Europe's disadvantage?
- How and what type of policies can effectively address those dependencies?
Following is the project focus until summer 2018
Every year, the Internet is growing by billions of devices. We are not just connecting people anymore but more and more machines are communicating over a single, global network. Yet in this rush to connect everybody and everything we pay little attention to the safety and security of our new networked world. How should we think about IT security in a world in which billions of devices are connected to a single, global network? With the Internet of Things, for the first time, it’s not just our data that’s at risk but there is the potential for direct physical harm.
Especially when looking at smart home products, the market consistently fails to produce reasonably secure and trustworthy devices. Right now manufacturers of smart home devices have almost no economic incentive to implement secure software development processes or at least follow IT security best practices. Thus, routers, digital video recorders, webcams and smart TVs are easily hacked by criminals and become part of large botnets of hundreds of thousands of devices. These botnets are then used to attack websites, company servers or even critical Internet infrastructure. Only in recent years did governments pay attention to this new threat of our fully networked society.
The project IT Security in the Internet of Things analyses and develops economic incentives for IoT manufacturers to implement secure software development processes and follow Security-by-Design principles. To this end different policy tools such as extended product liability, voluntary consumer labels or mandatory baseline requirements as market barrier are analysed and discussed in multi-stakeholder, expert workshops. In these workshops participants from academia, private companies, ministries and civil society critically discuss the problem analysis, brainstorm ideas how to improve the current status quo and critically assess the effectiveness of policy proposals. All workshops are held under the Chatham House Rule. These workshops, expert interviews and desk research are the basis for the project’s policy papers.
Workshop #1 ─ IT security in the Internet of Things (DE)
20th September 2016
The first workshop in the series focused on the central challenges regarding IT security in the Internet of Things. In two brainstorming sessions the participants were asked to first identify key challenges of IoT security in the next 5-10 years. Afterwards those challenges were ranked based on “Urgency” and “Potential Policy Impact”.
Workshop #2 ─ IoT security through mandatory baseline requirements? (DE)
14th December 2016
Participants of the second workshop discussed if and how mandatory baseline requirements as a market barrier could improve IoT security. The group identified key challenges of implementing baseline requirements such as enforcement / security assessment or if one needs to differentiate between industrial IoT and consumer IoT.
Workshop #3 ─ IoT security during the lifetime of a smart product (DE)
17th May 2017
The third workshop focused on the constantly growing gap between the lifetime of a product and software support time: On average a fridge is used for more than a decade. A “smart” fridge would need to receive software updates for more than a decade. How can this be achieved and what does this mean for manufacturers of smart household appliances regarding legacy support?
No workshop proceedings available.
Workshop #4 ─ EU’s Cybersecurity Certification Scheme (EN)
11th October 2017
In the fourth workshop, participants discussed the European Commission’s proposal for a Cybersecurity Certification Scheme. (Cybersecurity Package COM(2017)477) During two brainstorming sessions, the participants first identified key aspects of an efficient and effective IT security assessment ecosystem. Based on these findings the EU Commission’s proposed certification scheme was then analysed and the participants identified central shortcomings and potential challenges.
Workshop #5 ─ IoT-Security and Market Surveillance (EN)
29th of May 2018
The participants from academia, civil society, private companies and ministries discussed new necessary information flows to improve market surveillance of IT security based on the proposed NLF approach of the EU Cybersecurity Act. Key question was, how to better involve independent individuals like hackers or security researchers after they found a security vulnerability in an off-the-shelf consumer IoT device. The participants furthermore discussed potentials of a product database to track IT security relevant information. The workshop was conducted under Chatham House Rule.