Loading IS3C ...................
The rapid expansion of the so-called “Internet of Things” (IoT) in social and economic life has created new challenges for ensuring the security and safety of IoT networks, devices and applications.
The aims of IS3C’s Working Group 1 (WG1) are twofold: 1) to review current security-related IoT initiatives and practices and assess the degree of readiness of existing technical and management solutions that affect the design of systems with built-in security by default; 2) to develop a coherent package of global recommendations and guidance for embedding security by design in the development of IoT devices and applications.
The objectives, projected outcomes, key tasks, and timeframe for its work plan are set out in its Mission Statement published in June 2021 which is accessible at: https://www.intgovforum.org/en/filedepot_download/3737/2589. WG1’s membership grew in 2021 to include a diverse range of experts from different geographic regions and organisations.
Working relationships have also been established with specific initiatives including the IoT CyberSecurity LAC (Latin America and Caribbean) Working Group, which is mapping national initiatives regarding certification, homologation, and regulation of the commercialisation of IoT devices in the region, and ISOC’s IoT Special Interests Group (SIG).
WG1 is also in discussion with the Tech Accord concerning its work to identify the challenges in designing and implementing secure IoT systems. In its first phase of work in early 2021, WG1 reviewed existing research materials and collated information about: a) current approaches to IoT standards deployment; and b) local, national and regional experience in the implementation of IoT standards.
Analysis of this data concluded that the factors which weaken the security and safety of IoT networks and devices are: o gaps in the architecture of the IoT; o competing protocols; o poor or deficient security specifications; o lack of effective identification management; o the general need for a basic trust model in the IoT environment.
In its second phase of work, the members conducted a survey to better understand the aims of different stakeholder groups regarding IoT security and collated data on existing IoT security-bydesign initiatives, guidelines, current security practice and any relevant regulations. Analysis of the 67 responses received showed that the main concern was about unauthorised access to private IoT data, lack of supporting regulation and insufficiency of cyber protection rules. There were very few concerns about the impact of restrictive regulations.
With regard to identifying the priority policies for improving IoT security-by-design, the survey showed general support for prioritizing standardisation and education. A common theme in the responses was concern about the absence of strategies for predicting the behaviour of new security threats to IoT networks, an important consideration for security-by-design strategies of defense against new threats.
Most of the initiatives identified by respondents related to developing standards or best practice (56%), technical development tools (36%) and capacity building (31%). Next steps WG1’s third phase of work in 2022 will focus on the differing assessments of security threats to IoT networks, devices and applications, held by stakeholder constituencies, including suppliers, users and academia. Further outreach to more diverse stakeholder communities will be undertaken.
A general goal for the WG is to expand and increase the diversity of the membership through outreach, awareness-raising and personal networking. E.g. outreach to relevant working groups of ICANN and its Office of the Chief Technology Office (OCTO), the Internet Engineering Task Force (IETF) and the Institute of Electrical and Electronics Engineers (IEEE) is also planned for 2022. To achieve this body of work, WG1 has announced a research proposal that will be made public in February 2022.
This will include in-depth categorization and analysis of IoT certification requirements relating to security, and IoT network capacity-building programmes. The goal is to define a set of global recommendations and guidance for embedding security by design in the development of IoT devices and applications. The report is to be presented at the IGF 2022.
