By: Rob van Kranenburg and Petros Kavassalis, University of the Aegean | i4m Lab/ IoT Council
With so many diverse languages in the world, poor written and verbal communication can often be confused, with conversations devolving into utter nonsense. Before 2000, when the cloud was born and all else was just ideas or demos, we were used to having a “tribe” of easily recognizable devices, including desktop computers, terminals, laptops and the start of cell phones.
Since 2000 we have gone into a process where the ability to compute and interconnect became less immediately visible as the technology to connect moved into everyday things like lamps, cameras, fridges, TVs, cars, and city furniture like lampposts. We are thus in a world where a lot of connectivity and communications happen with no immediate transparency into who is talking to whom. We don’t always know the who or what behind the data being collected, nor do we know where it is interpreted.
In some parts of the world, where the politicians are scientists and engineers, potential threats were countered early by building a strong cybernetic system harnessing infrastructure, hardware and services so that devices could control systems from the architecture. We need architectures that can frame the dispersion of IoT devices; otherwise, we increase cybersecurity risks.
Here in the West, with no uniform approach from industry, getting a grip on device security and protocols has to be done with some forms of regulation. Thankfully, some U.S. politicians do see the need for this kind of protection and have signed into law H.R.1668, . Yet this really is only the first step in that process. This bill will establish a minimum-security standard for all IoT devices purchased by government agencies and will ultimately result in a spillover into the commercial IoT ecosystem quickly.
In Europe, we have also lost control over infrastructure (privatized) and data platforms (GAFA), and are rapidly losing agency on AI, as it has no data lakes and worse, no broad vision on the digital transition. Of course, both the United States and Europe would do better if they were to build their own cybernetic systems, taking firm control over identity (of humans, goods, objects and robots). The EU has rapidly developed a multi-level cybersecurity policy and this policy should be one of the major references for problem-solving in the current IoT world.
This may mean that existing devices will need to be monitored by some form of agency. Ideally, security tests and the education of the market will take place at the moment the device is tested for the CE mark, which indicates conformity with : "To place a CE Mark on electrical products to be legally sold on the European Market, a manufacturer has to be able to demonstrate compliance with the applicable EU regulations and directives including: the Low Voltage Directive (LVD) 2014/35/EU; Machinery Directive 2006/42/EC; Medical Devices Directive (MDD) 93/42/EEC; and In-vitro Diagnostic Medical Devices Directive (IVDD) 98/79/EC.”
Similarly, we need to give any device in an IoT ecosystem a unique identity. This is a necessary step to create a layer of IoT security and control the risks, especially those associated with IoT deployment in home area networks and in public infrastructures. Such an identity can make these devices identifiable when they come online and improve the security of the use of the IoT devices within service chains, thus improving both cybersecurity and end-user’s privacy. These identities do not need to be persistent, but on the contrary, must be designed as ephemeral or disposable to avoid systematic tracking of the device and of the owners of the device, but they should become regulated, accepted and widely used. They will obviously be based on the use of standardized digital certificates that will ensure proper authentication, transparency and authorization efficiency, and encryption.
A couple of good resources to ensure IoT devices conform and meet security requirements include:
The world is at a critical crossroads in the battle to ensure strong security of IoT devices that protect user data and ensure integrity. Now is the time for industry and government bodies to work together for the better good of society and the growing IoT segment’s future stability. The world is watching and wanting to trust that the right steps will be made.
It is becoming all the more urgent as the IoT — and what your objects are saying about you — is becoming as relevant to who you are as the wallet full of credentials that you will be showing. Device manufacturers, companies selling IoT devices and government regulators all have a role in ensuring device identity, authentication, integrity and data encryption using PKI certificates are adopted to protect users, without compromise.