Wrap up of the 2nd ENISA IoT Security Conference

Introduction

Last month, I attended the 2nd ENISA IoT Security Conference, that took place in the Europol Headquarter in La Haye (NL) on October 25th and 26th.

The Europol main building in La Haye.

This 2-day event gathers in the same place governmental organization representatives, security consultants, leading industries and researchers, to discuss the topic of security challenges raised by IoT applications in industry 4.0, connected cars, aerospace, smart home, or emerging IoT trends as artificial intelligence (AI) and digital forensics.

Day 1

The first morning was dedicated to introduction talks by ENISA, Europol and European Commission representatives.

All the speaker agreed ensuring security and privacy on the IoT end-to-end chain value is a big challenge especially when you have to take into account the IoT product lifecycle.

Miguel Gonzalez-Sancho-Bodero, Head of Unit Cybersecurity Technology and Capacity Building at the European Commission (EC) announced that under the Digital Europe program, the EC “will invest €2 billion into boosting cybersecurity industry, financing state-of-the-art cybersecurity equipment and infrastructure”. This confirms that there is a lot of cybersecurity initiatives and of course IoT is at the top of the main concerns.

Photo credit to @EC3_Europol.

Steve Purser, Head of Core Operations Department at ENISA indicated that we must find “a pragmatical and economically viable solution for IoT security”. These solutions for IoT security have to “put more emphasis on processes and people, and not only on technology.” After publishing baseline security recommendations for IoT last year, ENISA will develop now “vertical” guides, starting with the industrial field. They will provide a web tool to navigate into all these guides.

The ENISA Baselines Recommendations for IoT interactive tool is publicly accessible here.

After te lunch break, the afternoon session welcomed speakers talking about:

• Practical steps towards better IoT security and privacy.
• Security in digital manufacturing
• Securing IoT and Industrial IoT
• The network vector attack in the Industrial IoT
• Smart City security
• DDoS attacks

Jay Thoden van Velzen, from SAP, start the session giving his point of view about potential ways to secure Industrial IoT (IIoT).

David Puron, from Barbara IoT, talked about the network vector attacks in IIoT, demonstrating how simple it is to attack an industrial control system (ICS) or a programmable logic controller (PLC). He reminded us how in 2018 it is still easy to access directly (unprotected) PLC from the Internet: many vulnerable IIoT devices can easily be found on Shodan, the popular internet vulnerability scanner. Shodan also provides an ICS Radar.
This is seriously alarming and needs to be understood when considering IoT architecture and also policy.

The next talk focused on smart cities security. According to the speaker, Andreas Kuehn, from the EastWest Institute, “the extensive use of ICT and increased adoption of IoT smart cities have caused warning bells to go off.”

Finally, the last speaker of the day, Rien Jansen, advisor at Netherlands High Tech CrimeTeam, launched the NoMoreDDoS initiative to fight against cybercrime and DDoS attack.

The NoMoreDDos project is based on 5 pillars: public-private partnerships, improve digital investigation, information and knowledge, outreach, and implement alternative interventions. It relies on a dedicated platform, reporting tool, and dedicated means to improve forensics.
Jansen wants the National Police forces to go further and deeper to fight cybercrime and make “attribution” a reality.

To close this first day, all attendees were invited to a networking cocktail that took place in the Europol Winter Garden.

Photo credit to @EC3_Europol.

Day 2

The second day started with David Rogers, who introduced the DCMS new Code of Practice to improve consumer IoT security. A code of practices for consumers is in progress. This work is a result of a collaboration between universities and industries. Rogers said: “the current situation is not acceptable and we are considering regulatory options”.

The Code of Practice brings 13 outcomes which 3 are prioritized. Each one is mapped against existing standards (100+ from 50+ organizations). The mapping for each guideline is available there: IoT Security Mapping. HP and HIVE already have made a public commitment to implement the Code of Practice. Also, an ETSI draft is based on this Code of Practice and know as DTS/CYBER-0039.

The next 2 talks discussed security considerations in smart factories. Adrien Bécue spoke about the smart manufacturing security at Airbus, while Alain Filipowicz presented Continental ongoing projects in the field of smart and connected cars.

CyberFactory projects at Airbus

The security assessment tools being deployed at Continental

During his talk, Tony Geen, from Pentest Partners, demonstrated how a smart home can be compromised, by giving some examples of vulnerable devices:

• A smart kettle that leaks the WiFi password: by disassembling the kettle, getting the WiFi Module, leveraging UART pins and sending AT commands to the module, hackers are able to retrieve the WiFi AP SSID and the password.
• Hardcoded credentials in August door lock APK.
• A Bluetooth Low Energy (BLE) padlock that uses MAC address as a password.
• Another BLE padlock, this time with « strong encryption » but that can be open with a screwdriver

Finally, he gave is point of view regarding IoT regulation : “[..] regulation must be mandatory”.

Hardcoded credentials in an Android application (APK) and regulation wishlist according to Tony Geen.

Then, Ian Smith, IoT Security Director at GSMA introduce the GSMA IoT Security group and their contributions to address IoT security challenges. They have made a list of security guidelines and a self-assessment sheet for manufacturers. This work is accessible through the GSMA IoT Security website.

Finally, the day ended with conferences about artificial intelligence, Digital forensics, and blockchains for the IoT.

Conclusion

For the second year in a row, ENISA and Europol joined forces to gather the world leading experts from the private sector, law enforcement and cybersecurity community to discuss the IoT security challenges. The conferences addressed topics and IoT application domains with concrete case studies in the smart factory, automotive, aerospace, and smart home industry. Emerging IoT trends like artificial intelligence and digital forensics were also discussed. These challenges — legal, policy or regulatory — need to be addressed across different sectors and stakeholders.

According to Europol, the main conclusion of the conference are following:

• Security should not be an afterthought when designing systems and IoT systems are no exception.
• Implementing security does not need to be complicated. As ENISA report shows, baseline security recommendations for IoT were made accessible via an interactive online table. This allows for easy access to specific good practices.
• Law enforcement needs to be in a position to go beyond defense and incident response by being able to investigate and prosecute the criminals abusing connected devices.
• There is a need to discuss digital forensics in regard to IoT and the importance of data and privacy protection, considering the amount and different categories of data collected by the IoT.
• Multi-disciplinary dialogues are needed. ENISA and Europol are working closely together to inform key stakeholders of the need to be aware of the cybersecurity and criminal aspects associated with deploying and using these devices.
• In 2019 and beyond, practical and economically viable security solutions are needed.
• ENISA will be working on an automotive IoT case study and stronger collaborations with industry are planned.