IoT: What Is Security For Smart Devices?
The Internet of Things (IoT) encompasses a wide range of interconnected and Internet-connected devices that can collect and transfer data across the network without human intervention. The increase in the use of intelligent technologies leads to greater convenience of the IoT, but it also opens the door to cybersecurity threats.
Reports of cyber breaches are on the rise as the security level of each network has the same level of security as the least secure device within it, and the responsibility to uphold the security standards of connected devices rests with the manufacturers.
The advantages of the IoT can only be achieved if already in the design phase, the products and services take into account security and privacy requirements, increasing consumer confidence. Greater data circulation necessarily brings greater opportunities for loss or unavailability of the same. Poorly secure products threaten consumer privacy and can be used by criminals to launch large-scale Distributed Denial of Service (DDoS) cyberattacks.
The regulatory standard
The Technical Committee for Information Security of the ETSI (European Telecommunications Standards Institute) has published the ETSI TS 103 645, the standard on IoT products’ security for the consumer world. The document contains recommendations aimed at manufacturers and developers of networkable devices (better known as IoT products) intended for the general public (smart TVs, smartwatches, smart cameras, home automation systems, etc.) and now widespread in every social and production environment. The document, in fact, focuses on the most relevant technical and organizational controls to address the significant and widespread gaps in safety. The goal is to contribute to increasing the security of IoT devices in order to increase consumer confidence at the same time.
The new security rules affect a wide range of IoT devices: security products such as smoke detectors and door locks, smart cameras, televisions and speakers, wearable medical devices, home automation and alarm systems, and household appliances (for example, washing machines and refrigerators).
The recommendations indicated in the standard include, for example, avoiding placing devices on the market with usernames and passwords set by default (admin; admin) and identifying contact points to report any new product vulnerabilities.
Other good practices and recommendations to follow can be:
- the constant release of updates and security patches;
- the use of secure communication channels;
- secure storage of access credentials;
- the minimization of the possible “attack surface” of the devices;
- the guarantee of software integrity;
- the resilience of IoT systems to cyber attacks;
- easy and intuitive deletion of users’ personal data;
- simplified installation and maintenance of the devices.
It is essential to have a model that relies on other network security methodologies, such as rigorous access controls, network segmentation, and the definition of a “protected surface” that includes data, resources, applications, and services critical to the core business.