Key insights from Europol-ENISA IoT Security Conference

Europol and the European Agency for Network and Information Security (ENISA) have joined forces to gather the leading experts from the private sector, law enforcement and cyber-security community to discuss the security challenges around Internet of Things (IoT).

The IoT Security Conference provided a platform for European cyber security experts to provide audiences with insights into the security requirements of IoT, the analysis of relevant threats, the evaluation of potential attacks, and the identification of potential good practices and security measures to be applied to secure IoT systems.

Europol speakers have said that IoT has many benefits for law enforcement as a new instrument for the war against crime. Of example, the police use connected devices such as smart cameras of major events and to combat robberies and home burglaries, body cameras to boost situational awareness, weapon sensors to monitor when and how often they are used, and so on.

Europol said it was critical that law enforcement also invest in the safety and security of its IoT-connected devices to protect the privacy of its people.

One of the key topics that arose at the conference was the need to tackle IoT security challenges – either technological, legal, policy or regulatory – across different sectors and stakeholders.

The main recommendations of the conference were:

1. systems are no exception.”
2. “Law enforcement needs to be in a position to go beyond defence and incident response by being able to investigate and prosecute the criminals abusing connected devices.”
3. “There is a need to discuss digital forensics in regard to IoT and the importance of data and privacy protection, considering the amount and different categories of data collected by the IoT.”
4. “ENISA and Europol should continue working closely together to inform key stakeholders of the need to be aware of the cybersecurity and criminal aspects associated with deploying and using these devices.”
5.  “In 2019 and beyond, holistic, pragmatic, practical and economically viable security solutions need to be promoted and the entire IoT ecosystem needs to be looked into.”
6. “Cybersecurity is a shared responsibility. Stronger collaborations with industry are planned together with other initiatives to ensure coordinated efforts and explore all possible synergies.”

Europol added in a statement, “Crime scenes are changing because of the IoT: data from connected doorbells, cameras, thermostats, fridges, etc. can provide useful and crucial evidence.”

“The necessary forensic techniques and training will need to be used to safeguard this data.”

“Big data collected by IoT devices, for example for facial recognition from camera images after a major incident, will become an integral part of a criminal investigation but also require the necessary means to protect the privacy of citizens”.

In order to address the challenges and lay the foundation for IoT security, ENISA provided Base Security Recommendations for IoT to ensure common understanding and interoperability in the field of IoT cyber security.

Device manufacturers and users of IoT devices and systems may use these guidelines as a checklist against which to test their IoT security solutions. For this purpose, an interactive online resource has also been created that can be used to define one’s own risk model and to identify specific security measures to discourage, secure and prevent related threats.

Building on this work, ENISA reported that it will publish a new report on Best Practices for IoT Safety with a focus on Industry 4.0 and Smart Manufacturing by the end of November.

Wil van Gemert, Deputy Executive Director of Operations for Europol, said, “The law enforcement authorities must have the resources, skills and expertise to investigate the illegal misuse of IoT. Together with our partners, we have a leading role in going beyond increasing cyber security and IoT resilience as we can make a specific contribution to deterrence.

“The complexity of IoT and its resulting cybersecurity challenges call for a holistic, smart and agile approach. As IoT is now a present reality as opposed to a futuristic concept, the necessity to have this multi-stakeholder conference to put cybersecurity at the heart of the IoT ecosystem is self-evident”, Gemert added.

ENISA’s Head of Core Operations Department, Steve Purser said, “It is important and essential to collaborate because cybersecurity is a shared responsibility and that is never more true in the IoT domain.”

“This joint conference is an excellent example of these much-needed multi-disciplinary dialogues.

“The benefits and opportunities that IoT brings are numerous and of paramount significance for the entire society. It is our duty to ensure that this is done in a secure, safe and reliable manner.”

Purser added, “IoT security is a prerequisite for a secure and safe connected digital society.

“The time to act for Internet of Things security is now. I welcome the collaboration with Europol, and I am confident that such joint efforts contributing to ensuring IoT security for all.”