The European Union Agency for Network and Information Security (ENISA), Europe’s centre for cybersecurity expertise, details threats posed by internet connected devices.
ENISA’s efforts on IoT cybersecurity
The security threats and risks related to the Internet of Things (IoT) are manifold and they evolve rapidly. While it can be argued that this has always been the case with any new technology, the features of the Internet of Things are such that security concerns must be taken into account seriously.
With IoT, the digital and the physical worlds are no longer kept apart from one another. Cars, medical devices, factories and energy plants are all becoming connected. Therefore, any security breach in the IoT can not only severely affect the digital world, but more importantly might lead to grave safety issues in the physical world. Security and safety are tightly integrated, exacerbating relevant threats and risks. With great impact on citizens’ health, safety and privacy, the security threat landscape concerning the Internet of Things is extremely wide – and it is not a theoretical one. The fact is that these technologies now permeate almost all aspects of everyday life; IoT is pervasive. What this means is that the security risks are not contained within one person’s home, one private company, one Member State or the EU as a whole:
- IoT security needs coordinated efforts and holistic approaches by all stakeholders, from end-users to private organisations and member states alike.
- Raising awareness and setting basic level of cyber hygiene across the board is essential.
- Along this line, ENISA has introduced Baseline Security Recommendations for IoT1 to ensure common understanding and interoperability when it comes to IoT cybersecurity.
However, the existing security issues and concerns over IoT should not be seen as a hindrance to its deployment and for benefitting from the numerous associated innovations. From these challenges, opportunities arise that will lead to secure, safe and prosperous deployments of Internet of Things across Europe and the world.
ENISA’s work on IoT security and Industry 4.0
ENISA’s study on securing IoT, Industry 4.0 and smart manufacturing was published in November 2018. The study aimed to:
- Define relevant terminology, including terms such as Industry 4.0, smart manufacturing and Industrial IoT, to promote common understanding of relevant cybersecurity scenarios;
- Categorise Industry 4.0 assets across the manufacturing process and value chain in a comprehensive taxonomy;
- Introduce a detailed Industry 4.0 threat taxonomy based on related risks and attack scenarios, mapping the identified threats to assets and thus facilitating the deployment of security measures based on the customised requirements of interested stakeholders; and
- List security measures related to the use of IoT in smart manufacturing and Industry 4.0 and map them against the aforementioned threats.
In 2017, to address the challenges and lay the foundation for security of IoT, ENISA introduced its Baseline Security Recommendations for IoT as a whole. The aim is to ensure common understanding and interoperability when it comes to IoT cybersecurity, as well as mapping to more than 200 existing security initiatives to help alleviate current fragmentation when it comes to IoT security initiatives and guidelines.
High level recommendations include:
- Promoting harmonisation of IoT security initiatives and regulations;
- Raising awareness for the need for IoT cybersecurity;
- Defining secure software/hardware development lifecycle guidelines for IoT;
- Achieving consensus for interoperability across the IoT ecosystem;
- Fostering economic and administrative incentives for IoT security;
- Establishment of secure IoT products and service lifecycle management; and
- Clarifying liability among IoT stakeholders.
ENISA has also developed an online interactive tool to shore up the security of IoT and smart infrastructures. The aim is to provide an additional interactive way to address IoT security measures, but also to provide a more “lively” and up-to-date engagement with ENISA recommendations. The tool allows users to do their own risk assessment – defining threats pertinent to them and prioritising security areas of importance – and highlights recommended security good practices based on the issues highlighted by the risk assessment. It is currently available for IoT baseline security, Industry 4.0, smart cars, smart airports, smart hospitals, and smart cities.
In securing IoT, collaboration is everything. There are many players, many interdependencies; and many facets. ENISA is working closely with the European Commission, Member States and many other stakeholders from the industry, public sector and academia on pertinent issues. IoT Security and Industry 4.0 Cybersecurity Expert Groups are part of ENISA’s efforts in this direction. ENISA organises relevant events to raise awareness and advocate for better cyber hygiene in IoT and smart infrastructures. The annual ENISA-Europol IoT Security Conference is another important part of this strategy to maintain active engagement with stakeholders.
Vasilissis Sofias Str
+30 28 14 40 9711