LIVE FROM MOBILE 360 SECURITY FOR 5G, THE HAGUE: Keynote speakers discussed the challenges of securing the IoT, with device makers a key focus in terms of ensuring products are safeguarded at the point of manufacture.

So-called security by design was cited as a critical element in protecting what Evangelos Ouzounis, head of EU cybersecurity agency ENISA’s secure infrastructure and services unit (pictured), said is a potentially “huge” attack surface in terms of the sheer number of IoT devices.

He pointed to sectors including transportation, medical and even consumer devices as areas of concern, noting “security isn’t a big priority” for many small sensor and device manufacturers, particularly those at the start-up stage which are keen to keep production costs down.

“We encourage the companies to become better, to actually invest more on security,” he said. However, he acknowledged it can prove difficult for companies to implement such moves due to a lack of guidelines and directions regarding what security should look like.

For the manufacturers of consumer IoT devices, there is a clear incentive to work with bodies like ENISA to establish that direction. In a separate presentation during the session, PA Consulting principal consultant Leo Whyte (pictured, right) highlighted a growing reluctance among consumers to buy connected devices due to security concerns.

Whyte also argued the case for security by design, noting it is a means to increase the credibility of IoT: “Enterprise clients and telcos, the two need to come together if we’re going to foster wide-scale IoT”.

Later in the session, Jose Ramon Monleon Martinez, corporate CISO at Orange Spain (pictured, left), called for harmonisation of the certification processes to ensure the sheer multitude of devices connecting to operator networks are secure.

“We need one entity, one certification, something that helps us in all of this work”, he said, adding that operators are increasingly exposed to threats because of the many devices which can be bought independently which connect to, and so could impact security of, the network.

Beyond design
Security by design is a key starting point, but Ouzounis explained there are several other factors needed to protect the IoT. Customers require help on how to update the firmware on devices to ensure vulnerabilities are kept in check, while the industry must address a skills shortage in terms of staff with the ability to take a holistic view of IoT and security.

“There are issues with the liabilities as well,” he noted, pointing to IoT sensors and devices deployed in mission critical services. He added technology sometimes fails and, if it does, it must be clear who is liable.