A conference is a great way to stay informed on trends and developments in the cybersecurity field. My friend and colleague David Bisson compiled for Tripwire a list of 19 security conferences you shouldn’t miss during 2020.
However, in this post, I am not going to discuss future conferences. Instead, I will reflect on the 3rd ENISA – Europol IoT Security Conference, that took place in October 2019, in Athens, below the glorious and magnificent Acropolis.
Together ENISA, the European Union Agency for Cybersecurity and Europol, the EU Agency for Law Enforcement Cooperation, successfully organize this annual IoT Security Conference which aims at examining the evolution of IoT security and how to implement adequate security measures.
During the last conference, the topics discussed included also Artificial Intelligence (AI) – since the adoption of IoT and emergence of AI has raised many new legal, policy and regulatory challenges, broad and complex in scope. For these reasons, Europol and ENISA are jointly organizing this event, facilitating discussion among all interested parties on ways to address the security challenges of IoT and AI and to combat the criminal abuse of such technologies – ultimately making cyberspace a safer place for all.
And there is a good reason for raising awareness about IoT and AI security. Over the past few years, high-profile IoT attacks have made media headlines such as the hacking of pacemakers and smart toys for kids. In addition, AI algorithms have been manipulated, leading to erroneous decision-making such as spoofing of traffic lights and false image recognition. With IoT technologies, the digital and the physical worlds are coming together. Cars, medical devices, factories and energy plants are all becoming increasingly interconnected, creating new types of threats against critical infrastructure.
Who I Met?
Before going into the details of what I heard during the conference, I would like to say that I had the pleasure and honor to meet some prominent security and privacy professionals, whom I knew only from my LinkedIn contacts. First, I had the chance to discuss briefly with Dr. Evangelos Ouzounis, Head of Unit, Secure Infrastructure Service at ENISA, the need to include in the school curriculum subjects for raising the technology-related soft skills of the students. It is important to invest in every country’s future if we are to create a cybersecurity culture.
In addition, I had the pleasure to discuss with NIST’s Greek-born Katerina Megas, who is the Program Manager for developing good practices and recommendations for securing IoT. She is the mastermind behind the recent NISTIR 8228 and NISTIR 8259 publications.
I was also lucky enough to meet and exchange valuable ideas with the following:
- Athanasios Kosmopoulos, Data Protection Officer (DPO) at the Greek Ministry of Digital Governance
- Vasilis Vasilopoulos, Data Protection Officer (DPO) at the Hellenic Broadcasting Corporation (ERT)
- Christos Syggelakis, DPO at Motor Oil, the biggest oil refinery in the Balkans
- Andriani Stavrianopoulou, Program Manager at Nokia Software – Core Engineering
- Ayman Khalil and Roland Atoui of the Red Alert Labs, a highly specialized French company in IoT security
- Constantinos Tsiourtos, a security and privacy professional from Cyprus, a close friend of mine and member in many EU working groups promoting cybersecurity and privacy.
What I Heard
Risks, Threats and Challenges
Kicking off the conference, Dr. Ouzounis provided a big picture overview of technology developments. IoT, AI, 5G networks and cloud computing are all part of the same ecosystem. IoT devices collect sensory data, which are then fed into AI processors. The IoT generated data and the outcomes of AI processors are transmitted via 5G networks and stored or further processed in cloud environments. Therefore, risks and threats of one component of this evolving and expanding ecosystem, are risks and threats to the whole ecosystem. The findings of recent surveys highlight the importance of mitigating these risks and threats:
- 85% of the surveyed companies have adopted IoT
- 84% of the IoT adopters have experienced breaches
- 51% of the companies employing AI think that cybersecurity is a major concern
- 54% expect AI cyber-attacks in the near future
To mitigate these risks, Dr. Ouzounis said that we need to overcome certain IoT security challenges, with the most notable being fragmentation of good practices and unclear liabilities.
“While AI is used to augment cybersecurity, there are risks and challenges to be met,” stated Philipp Amann, Head of EC3 Strategy at Europol. These risks and challenges are:
- Algorithmic black box
- AI governance, including data governance
- An ethical data privacy framework
- The inevitable human involvement
- The use of AI in law enforcement
Frameworks, Standards, and Top 10 Lists
It is therefore apparent that a regulatory framework needs to be in place. Many national, international or transnational organizations are working towards this. However, the overarching sense is that there is a fragmentation of efforts and a lack of a binding framework. Maybe this is why Steven Pattinson, Chairman of the IoT Security Foundation, said that we need to “Make it easy” and that “We are better together.” According to Pattison, the biggest challenge is the polarization of policies in two poles: the US and China.
One of the organizations working hard towards developing IoT security requirements is NIST. Katerina Megas, Program Manager for IoT Cybersecurity at NIST, said that “to mitigate the IoT risks, the cybersecurity frameworks need to be based on three pillars”:
- Protect Device Security
- Protect Data Security
- Protect Individuals’ Privacy
So far NIST has developed publications: NISTIR 8228, Considerations for Managing IoT Cybersecurity and Privacy Risks, and NISTIR 8259 (draft), Core Cybersecurity Feature Baseline for Securable IoT Devices.
In Europe, the UK government has developed the Code of Practice for Consumer IoT Security, which aims at supporting all parties involved in the development, manufacturing and retail of consumer IoT including a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world. In Germany, the specification DIN SPEC 27072 contains minimum requirements for connected IoT devices within the small business-home environment. Further, the European Telecommunications Standards Institute (ETSI) has published the Technical Specification ETSI TS 103 645, Cyber Security for Consumer Internet of Things, with the goal of establishing a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.
For European actors, it was apparent that the plethora of various “specifications” would result in IoT devices having interoperability problems. Therefore, ETSI, with the support of various agencies, such as NCSC, undertook the responsibility of harmonizing all these frameworks to produce a pan European standard. The draft ETSI EN 303 645 is now in the approval phase and is expected to be published in autumn 2020.
Apart from international agencies, other organizations have also developed their own frameworks. The IoT Security Foundation has developed and presented its IoT Security Compliance Framework, which helps to translate security aims into easy operational tasks. In addition, IoTSF have published many best practice guidelines, which are accessible through their respective page. Furthermore, the Cloud Security Alliance have published their IoT Security Controls Framework, which introduces the base-level security controls required to mitigate many of the risks associated with an IoT system operating in a range of threat environments.
Since 2014, on top of these frameworks, OWASP launched its IoT Project, which is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things. As Aaron Guzman pointed out in his presentation, the project also enables users in any context to make better security decisions when building, deploying, or assessing IoT technologies. As part of this project, OWASP is publishing the IoT Top 10, which is a list of Top ten things to avoid when building, deploying, or managing IoT systems.
PKI4 IoT: An Interesting Research
Shahid Raza of the RISE Research Institute in Sweden and a member of the EU funded CONCORDIA project presented a very interesting approach to applying “zero-touch” security for IoT devices. The research builds on the structure of Public Key Infrastructure (PKI) which is the state-of-the-art credential management solution on the Internet. However, PKI cannot be used with constrained devices, such as IoT devices, because it “is built on a set of protocols which were not designed for constrained environments, and as a result many small, battery-powered IoT devices lack the required computing resources.” The RISE research team developed “an automated certificate enrollment protocol light enough for highly constrained devices, which provides end-to-end security between certificate authorities (CA) and the recipient IoT devices.” In addition, the researchers designed “a lightweight profile for X.509 digital certificates.” As a result, Certificate Authorities (CAs) can now issue traditional X.509 to IoT devices, which are then converted to and from the lightweight format by edge devices on constrained networks.
The results of this research showcase that fully functional PKI can be used with IoT deployments. “For maximum impact and interoperability across different vendors we are pushing both enrolment and lightweight certificates as standards in IETF, where the enrolment protocol draft is close to being accepted as an official RFC,” concludes Raza. The research paper is available for free here: PKI4IoT: Towards Public Key Infrastructure for the Internet of Things.
AI and Cybersecurity
As I mentioned at the beginning of this post, AI was the newcomer of this conference. In fact, there were two interesting presentations pinpointing the connection between AI and cybersecurity. Andreas Kind, Head of Cybersecurity Technology at Siemens, articulated that “when industry meets security, it needs AI. When industry meets AI, it needs security.” He said that AI supports industrial security for malware protection and anomaly detection, to perform platform integrity protection, to improve hardening against side-channel and fault attacks and for monitoring and detection of cyber-physical attacks. On the other hand, security protects AI applications by preserving their integrity and trustworthiness, and by defending against adversarial AI attacks.
The same concept, AI and cybersecurity, was introduced by Dr. Ignacio Sanchez, a Scientific Expert at European Commission’s Joint Research Center. Dr. Sanchez based his presentation on the EU flagship report “Artificial Intelligence: A European Perspective.” According to the report, the convergence of AI and cybersecurity presents four angles of influence:
- AI to create smarter cybersecurity: more effective security controls
- Robustness/Vulnerabilities of AI algorithms: adversarial machine learning, attacks against AI powered cyber-physical systems
- Misuse of AI: the creation of deep fakes, AI-powered malware, smarter social engineering attacks
- Use of AI to fight cyber attackers and criminals: smarter forensics, fraud analysis
Top Security Mantra
“We are drowning in technology. We are not becoming more secure” – Gianluca Varisco, CISO at Arduino
Overall, attending the ENISA – Europol IoT Security Conference was an enlightening and fruitful experience. The only disadvantage I saw was the lack of interaction between the speakers and the audience which would have created a livelier conference and if adopted in the future, would foster debates on many interesting topics. I am looking forward to attending the next version of the conference and to meet many more distinguished security professionals.