More and more systems are able to network with each other. As a result, much attention must be paid to the maintenance and security of the systems. The certification of IoT devices plays an important role here.
From the smallest sensors in mobile phones or cars to complete production plants in industry – more and more devices are networked together via the Internet of Things (IoT). By the end of 2019, there were already around 27 billion IoT devices, which means that for every person in the world there are almost three IoT devices.
According to experts, this ratio will multiply even more in the coming years. One reason for this is the many advantages that companies benefit from when using IoT devices in an industrial context. The whole concept of Industry 4.0 is based on the idea of networking technical systems in such a way that they can exchange information and communicate with each other independently. This intensive exchange of data, however, means that completely new requirements must be placed on the protection of IoT devices.
Software patches: A hurdle race
Devices that are networked in the Internet of Things (IoT) have the same problem as any computer: they are vulnerable to external attacks. For every form of communication, whether verbal between people or electronic between machines, there are ways and means to eavesdrop or manipulate them. In order to prevent this, IoT devices and computers must meet current security requirements throughout. In the case of consumer products, this is relatively simple in an ideal world. The manufacturer identifies a security risk in the software of his device, develops a patch to fix the problem and installs it on his devices via Over-The-Air Update.
If, however, the software of an industrial plant needs to be updated, either in whole or in part, there are significantly greater hurdles waiting for those responsible. In industrial production, for example, there is no guarantee that machines or components are continuously connected to the Internet. In such cases, an independent software update is only possible via detours. It is therefore the responsibility of maintenance or IT security personnel to keep themselves constantly informed about patches and to plan and monitor their delivery and installation.
This in turn leads to the next hurdle: Does an update require a system shutdown or a reboot? While the restart of a smartphone requires little planning, an industrial system requires meticulous preparation, as a number of factors must be taken into account: How does a stop affect the further work of the connected systems? Can this happen during operation or do special maintenance periods have to be considered? Not least: How is the importance of the system to be classified, i.e. is it relevant for safety? In addition to technical and organizational problems, a shutdown of a system means a loss of revenue.
Due to this increased effort, it is easier in an industrial context for gaps in the security of IoT devices to be closed more slowly (or not at all) than would be technically possible.
Increased security through general standards
When thinking about how to improve the security of IoT devices in general, a look at best practices in other areas is helpful: Technical norms and standards are already successfully used in other application areas to assess and ensure the safety of products and systems. Examples are the Machinery Directive or CE marking. These not only protect the life and limb of users and customers, they also create trust among them, because they promise them an objectively evaluated claim to functionality and safety.
Such a standard in conjunction with certification is now required for the safety of IoT devices. Such a standard would make it possible to place a greater focus on its safety as early as the product design stage and then to test it regularly and reproducibly. By standardizing safety requirements for both production and operation, the safety of the systems can be sustainably increased.
In addition, there is a positive side effect: If half of the IoT devices in use could be better protected by such standardization alone, this would have indirect positive effects on “non-standardized” devices, since the attack surface would be reduced in the network.
When working out the necessary security standards, different gradations of requirements would of course have to be taken into account, on the basis of which the corresponding IoT devices are developed and then tested.
The basis should be the relevance of the respective system. For example, it is tolerable if the LED lamp in a smart home device shows the wrong color once because of a fault; however, if an industrial machine does not recognize the data from a sensor in an emergency or evaluates it incorrectly, this can have dire consequences. This is another aspect why the safety of IoT devices must be testable and certifiable. In addition to increased trust and safety, meaningful standards and independent controls also offer another advantage for companies: legal protection in the event of damage.
EU Cybersecurity Act: A first step in the right direction
A first step towards uniform security standards and checks in Europe is the legal act on cyber security. This is intended to regulate and strengthen the requirements and the awarding of certifications in the European area. It thus provides a legal basis for efforts to achieve certification in the IoT sector. Within the framework of the legal act, it was also decided to establish the European stakeholder Cybersecurity Certification Group (SCCG), a body which is to help define the framework conditions for cybersecurity certification in the EU area.
The group is composed of 50 members from across Europe, ranging from academic institutions to standardization organizations and consumer protection institutions. One aim of the committee is to create a uniform certification system for cyber security in the EU, which will also serve as a guide for consumers. These supranational efforts of the EU show how up-to-date and important uniform security standards are also classified there.
Standards create security and trust
The introduction of generally applicable guidelines and requirements is the next logical step in the introduction of IoT. The more data is in circulation, the greater the temptation for criminal forces to appropriate it. In addition to a generally increased security of the devices against attacks, the standardization of processes and technology makes it possible to have IoT devices tested and certified by independent third parties.
This creates increased confidence in the technology on the part of companies and customers and thus enables broader investment and innovation in an area that can offer enormous benefits to industry in particular. The intelligent networking of systems is at the heart of the ‘Industry 4.0’ agenda and should be treated and protected accordingly.