On 19 November 2019, the European Union Agency for Network and Information Security (ENISA) released its report ‘Good practices for security of Internet of Things (IoT)’ (Report), providing a comprehensive analysis of security concerns surrounding IoT, secure Software Development Life Cycle (sSDLC) principles, and setting out best practices. Below, we highlight some of the key points. The Report can be read in full here.
IoT refers to a network of internet-connected devices, ranging from microwaves to phones to smart homes. ENISA is tasked with improving the resilience of Europe’s critical information infrastructure and networks, and the Report focuses on establishing good practices for securing the IoT software development process. As a precursor to the Report, in 2017, ENISA released its study ‘Baseline Security Recommendations for IoT’ (here).
Highlights from the report
The Report is intended to cover the entire IoT ecosystem, and will be pertinent to software developers, platform developers and users, and IoT integrators. A comprehensive set of security concerns has been identified, classifying key threats into the following categories: ‘personnel’, ‘outages’, unintentional damages’, ‘physical attack’, ‘legal’, ‘failures/malfunctions’ and ‘nefarious activity/abuse’. Scenarios include:
- Insecure credentials in embedded devices – users may choose default or create insecure credentials that could be picked up by attackers when using online resources to scan for exposed devices. A lack of strong authentication mechanisms can lead to users being frustrated with the process of setting credentials, and so result in insecure credentials. This is an area easily susceptible to phishing/hacks.
- Rigid communication protocols – software-based interfaces can be rather inflexible when it comes to their communication functionalities, typically at the software development phase. Where inflexible communication protocols prevent users from applying additional security measures, this may lead to incompatibility and create a security gap, making the interfaces vulnerable to ‘man-in-the-middle’ attacks.
- Insecure software dependencies in cloud services – dependencies already available to developers are commonly used to provide functionalities to software, thereby saving a lot of development time. Such dependencies may not be constantly updated or checked for potential vulnerabilities, and so attackers may exploit these outdated components.
With these in mind, the Report sets out the following recommendations and good practices:
- Security by design – Parties should adopt a “consistent and holistic approach during [the IoT system’s] whole lifecycle across all levels of device/application design and development, integrating security throughout the development, manufacture, and deployment” (GP-PS-01); integrate different security policies (GP-PS-02); and ensure IoT hardware manufacturers/software developers implement test plans and penetration tests (GP-PS-06).
- Development of security measures for IoT sSDLC: ‘people’, ‘processes’, and ‘technologies’ –
People: Training and awareness (promoting security awareness at all organisation levels, allocating resources to stay up to date with security topics, etc.); establishing a security culture (defining security roles and privileges, separating duties, monitoring/responding to security incidents, etc.).
Processes: Third-party and operations management; sSDLC methodology (establishing a control access and authorisation policy, defining security metrics, adopting maturity models, etc.); secure deployment (implementing disposal and testing strategies, etc.); and security design (risk assessment, threat modelling, etc.).
Technologies: Access controls (e.g., ensuring secure storage of users’ credentials); third-party software (using up-to-date patches for components); secure communications and codes (e.g., proven encryption techniques, web interfaces, and session management); sSDLC infrastructure (secure logging and implementing white lists); and conducting security reviews and setting up contingency plans, etc.
The extensive measures proposed in the Report serve as helpful guidance for all parties and stakeholders involved in the entire lifecycle of IoT. Software developers and IoT integrators need to work together with senior management to ensure proper frameworks are in place. As more devices become IoT-enabled, threats to cybersecurity will increase. Organisations that can demonstrate compliance with the recommendations in the Report can benefit if they are scrutinised by regulators in the future.