Embed Size (px)
Citation preview
European Union Agency for Network and Information Security (ENISA)
ENISA's effort to foster IoT cybersecurityDr Fabio Di FrancoETSI IOT week| Challenging IoT Security & Privacy WorkshopSophia Antipolis | 22.10.2018
2Seat in Heraklion
Operational Office in Athens
Securing Europe’s Information Society
3
Positioning ENISA activities
POLICY Support MS & COM in
Policy implementation Harmonisation across EU
CAPACITY Hands on activities
EXPERTISE Recommendations Independent Advice
4
What is IoT?Internet of Thing (IOT) is “a cyber‐physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making”1
Diagram by skyworksinc.com
1 Sources: Baseline Security Recommendations for IoT – ENISA
5
• Very large attack surface: the threat landscape concerning IoT is extremely wide.
• Complex ecosystem: involving aspects such as devices, communications, interfaces, and people.
• Security integration: legacy products might not guarantee any security
• Difficult to secure the entire lifecycle of products• Fragmentation of the standards and regulations• Insecure programming and reuse of
unsecure/deprecated code• Unclear liabilities• Limited device resources• Security is not yet a market differentiator.
Security Considerations in IoT
Sources: Baseline Security Recommendations for IoT – ENISASecurity and Resilience of Smart Home Environments ‐ ENISA
6
Fragmentation in a complex ecosystem make technologically difficult to apply automatic over‐the‐air update to all devices connected
Lazy customers: security updates are tedious
Lack of expertise: it might be challenge for not techy people
Unaware of how easy it is too hack a device (threats)
Security Considerations: People
Unaware of the private and sensitive information that can be gained in an attack
7
• How is the information security and risk management discipline evolving and what are the consequences?
• How we can influence human behavior and learn how to create a more secure environment
• What are the parallels and overlaps with social and behavioral sciences?
Research questions : People behaviourPeople are the weakest link in security. Aggregation of data and inference has increased exponentially the risk of identity theft and privacy violations
8
When will the clients ask more security?
9
ENISA studies on IOT security
Baseline IoT Security
Smart cars
Smart
hospita
ls
Smart a
irports
Smart h
omes
Indu
stry 4.0
10
11
Policies• Security by design • Privacy by design • Asset Management • Risk and Threat Identification and
Assessment
Technical• Hardware security • Trust and Integrity Management • Strong default security and privacy • Data protection and compliance • System safety and reliability• Secure Software / Firmware updates • Authentication
Baseline IoT Security Measures
Organizational, People and Processes• End‐of‐life support • Proven solutions • Management of security vulnerabilities
and/or incidents • Human Resources Security Training and
Awareness • Third‐Party relationships
• Authorization • Access Control ‐ Physical and
Environmental security • Cryptography • Secure and trusted communications • Secure Interfaces & network services • Secure input and output handling • Logging • Monitoring and Auditing
https://enisa.europa.eu/iot
12
• Essential to consider and ensure IoT security in all stages of the life cycle of products and services
• Design, development, testing, usage, maintenance (security updates) and decommissioning
• Establish baseline security measures for IoT across sectors
• Such measures will form the basis to evaluate/assess relevant products & services
• Raise awareness on IoT security (threats, risks, solutions)
• Involve all stakeholders since it is a multi‐faceted issue• Consumers to play a focal role (updates, awareness)
Future steps for IoT Security
