How to create a trusted Internet of Things environment? Less is more

07 February 2017

Author: OpenForum Europe

By 2025, 27 billion connected devices (Machina Research, 2016) will operate around the globe forming the Internet of Things (IoT). These devices, when combined with Big Data, will create invaluable business opportunities for mobile operators, governments, cities and companies spanning industries around the world.

However, the realisation of the IoT is not without challenges. Experts claim that threats to the IoT are broad and can be potentially devastating for ICT systems. Currently, we can encompass these threats in two categories: privacy and security. The first important area of concern is the protection of personal data, as the devices that compose the IoT will, if they are not already, be everywhere around the home. This means that they could be vulnerable to cyber attacks pushing these devices to enter more into our private lives, and get our personal data even when we don’t want it. Security is the other main area of current concern, since the IoT is likely to be connected to essential infrastructure components, meaning that it will be an attractive target for national and industrial espionage as well as for “denial of service” and other attacks.

Trying to identify solutions to address these problems, the European Commission recently organised the IoT Security and Privacy Workshop, at which participants were asked to reflect and comment on the minimum concrete IoT privacy and security principles required in order to create a trusted IoT environment.

During the event, some stakeholders requested the European Commission to introduce minimum guidelines or requirements for IoT manufacturers in relation, for example, to update mechanisms, document interfaces, data transmission, etc. Some stakeholders went so far as to call for the development of a ‘Trusted IoT’ label, which could provide consumers of IoT products with information about the level of security and privacy of relevant products. Such a label could follow the example of today’s EU-wide labelling system used to indicate energy-efficiency of appliances and other devices.

We can all agree that for the EU to remain competitive in the global market, a trusted IoT environment needs to exist. However, creating unnecessary new legislation would go against the principle of doing less but better, a principle that the current Commission defends.

The NIS directive is now in the implementation phase, and the GDPR will enter into force in 2018. There are also other tools out there that could be very useful in order better to assure the security of the IoT. For example, there are already many standards relating to cybersecurity, such as ISO/IEC, W3C and OASIS.  At the heart of the standards landscape is the ISO 27000 series of standards as well as SSAE SOC 2 and 3 schemes which Europe has co-developed. Certification schemes that are widely used are strongly based on these schemes.

Therefore, while agreeing with the general sentiment of the participants at the workshop that the IoT needs to be secure, it can be argued that any move to develop new certification schemes, requirements or seals should be based on a rigorous analysis of specific vulnerability gaps. Moving to create additional overlapping schemes risks achieving the opposite of creating higher resilience – this could instead  create new vulnerabilities. Indeed, by creating new requirements or seals over and above the existing ones, the enforceability and value of each will inevitably be reduced, becoming just one in many: that is not the way to go.

References: Machina Research (2016). Press Release: Global Internet of Things market to grow to 27 billion devices, generating 3$ trillion revenue in 2025. Available at: