In November 2017, the European Union Agency for Network and Information Security (ENISA) published “Baseline Security Recommendations for the Internet of Things in the context of critical information infrastructures”.
The main aim of the study is to offer IoT security advice for organisations in Europe by taking into consideration factors such as the complexity of critical assets, existing cyber threats and solutions for the protection of systems such as IoT.
Kaspersky Lab, as a member of the ENISA IoT Security Experts Group (IoTSEC), was involved in the creation of the report by providing expert recommendations.
According to Kaspersky Lab research, incidents involving non-computing connected devices are among the top-three incidents with the most severe financial impact, both for SMB and enterprise organisations.
To respond to today’s growing prevalence of IoT threats and consolidate industry cybersecurity expertise, ENISA gathered a group of first-rate panelists from some of the leading market players, including Kaspersky Lab experts, to prepare expert advice for the protection of critical infrastructure. Within the ‘Baseline Security Recommendations for IoT’ report, the agency has issued policy measures for EU institutions, IoT hardware manufactures and software developers.
“Kaspersky Lab has vast expertise in the field of critical infrastructure security. We believe that our contribution to ENISA’s IoT security recommendations will help organisations develop more efficient cybersecurity strategies and help policy makers establish highly relevant regulations to fully face up to modern cyber threats,” adds Andrey Doukhvalov, head of future technologies and chief strategy architect at Kaspersky Lab.
Kaspersky Lab IoTSEC experts shared their recommendations on two fronts — for EU policy-makers and IoT hardware and software developers. In terms of the key security considerations for EU policy-makers, Kaspersky Lab experts recommend the following:
* Focus on sector-specific recommendations, guidelines and certification requirements rather than on holistic approaches;
* Standardise across the EU and deliver EU-wide IoT terminology and taxonomy for international cybersecurity standards;
* Cooperate actively with industry and involve the private sector in policy-making by using existing industrial associations and groups such as AIOTI;
* Establish a layered defense system against cybersecurity threats as highly relevant for IoT devices.
For those who work directly with IoT systems, Kaspersky Lab experts advise that the following steps be taken to improve security:
* Ensure that all employees have up to date knowledge and skills in cybersecurity and that they are constantly tested;
* Ensure data interoperability with a reliable and automatic patching system. IoT hardware manufacturers and software developers need to adopt cyber supply chain risk management policies and communicate cyber security requirements to their suppliers and partners;
* Conduct a code review during the implementation process to reduce the number of bugs in the final version of a product, while also identifying any malware input or authentication bypass attempts.
