Terzo Digital have been members of the IoT-SF (Internet of Things Security Foundation) for several years now. The foundation has a strapline of “Build Secure, Buy Secure, Be Secure” and is trying to promote security best practice within the IoT community. You can read more about their mission statement here.
The morning keynote was given by Leonie Tanczer of UCL on the implications of IoT on victims/survivors of gender-based domestic violence and abuse. The talk illustrated the risks that use of IoT can present in this area. IoT vendors concentrate on how to make their products work well to do the job they are designed for, but should they be extending that to look at how the product could be used? An interesting talk which I feel sure IoT-SF will likely pick up on during the coming year. You can read more on this at UCL’s Gender and IoT page.
An interesting panel discussion on Policy and Regulation touched on such areas as:
- The new draft of the European Security Standard EN 303 645 “Cyber Security for Consumer Internet of Things” which is currently at the start of its approval procedure. You can read more about that at the ETSI work programme
- That the many standards within the IoT security space were felt to be harmonising and defragmenting.
- That if you are relying on consumers for security, then you have already failed! You need to follow sensible guidelines, such as those offered by the IoT-SF to try and avoid this.
- Starting the security discussions in the consumer IoT area is not counter productive as it is one of the harder areas and much of the same equipment is also used in enterprise areas.
- We currently have a large security debt, with lots of legacy equipment out there which will not be replaced for some time!
- A discussion on the trustworthiness of telecommunications manufacturers, especially in the mobile domain. The consensus seeming to be that our most prudent approach may be to trust but also verify.
That last topic also linked well with the excellent closing keynote given by Matt Wyckhouse of Finite State on “The truth about cybersecurity in the IoT era”. He talked about why we still have so many attacks against known vulnerabilities and default passwords in IoT when these things are so much less likely in the IT space. Our summary being that there are more users in IT whilst there is more equipment in IoT, the networks tend to be different, supply chains more complex and a lack of verification tools and policies breaks the normal security feedback loop. Most interestingly Matt gave a glimpse into the work Finite State did analysing many versions of Huawei’s device firmware. You can read more on this on their website and if you are interested follow that up by reading the UK governments annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, mentioned in the morning’s discussions.
The three tracks of talks during the day touched on many areas. Keep an eye on the IoT-SF website for the videos of the day becoming available, or if you can’t wait you could always watch some of the talks from the 2018 conference here.