Rob Van Kranenburg
Director, IoT Council
In the recently published The Cybersecurity Aspects of New Entities Need a Cybernetic, Holistic Perspective we propose a holistic perspective, distributing security at two points: at the device level and a moral movement at a societal level. (https://doi.org/10.46386/ijcfati.v2i1.36)
Europe is at a critical crossroads in the battle to ensure strong security of IoT devices that protect user data and ensure integrity. Now is the time for industry and government bodies to work together for the better good of society and the growing IoT segment’s future stability. The world is watching and wanting to trust that the right steps will be made.
It is becoming all the more urgent as the IoT — and what your objects are saying about you — is becoming as relevant to who you are as the wallet full of credentials that you will be showing. Device manufacturers, companies selling IoT devices and government regulators all have a role in ensuring device identity, authentication, integrity and data encryption using PKI certificates are adopted to protect users, without compromise.
In Europe, we have lost control over infrastructure (privatized) and data platforms (GAFA), and are rapidly losing agency on AI, as it has no data lakes and worse, no broad vision on the digital transition. Of course, both the United States and Europe would do better if they were to build their own cybernetic systems, taking firm control over identity (of humans, goods, objects and robots). The EU has rapidly developed a multi-level cybersecurity policy and this policy should be one of the major references for problem-solving in the current IoT world.
This may mean that existing devices will need to be monitored by some form of agency. Ideally, security tests and the education of the market will take place at the moment the device is tested for the CE mark, which indicates conformity with requirements in the EU: “To place a CE Mark on electrical products to be legally sold on the European Market, a manufacturer has to be able to demonstrate compliance with the applicable EU regulations and directives including: the Low Voltage Directive (LVD) 2014/35/EU; Machinery Directive 2006/42/EC; Medical Devices Directive (MDD) 93/42/EEC; and In-vitro Diagnostic Medical Devices Directive (IVDD) 98/79/EC.”
Similarly, we need to give any device in an IoT ecosystem a unique identity. This is a necessary step to create a layer of IoT security and control the risks, especially those associated with IoT deployment in home area networks and in public infrastructures. Such an identity can make these devices identifiable when they come online and improve the security of the use of the IoT devices within service chains, thus improving both cybersecurity and end-user’s privacy. These identities do not need to be persistent, but on the contrary, must be designed as ephemeral or disposable to avoid systematic tracking of the device and of the owners of the device, but they should become regulated, accepted and widely used. They will obviously be based on the use of standardized digital certificates that will ensure proper authentication, transparency and authorization efficiency, and encryption.