Is it possible to introduce an IoT device that can authenticate its user, can encrypt and decrypt transmitted and received data, and deliver or verify the proof of integrity, yet still be considered an insecure device?
In their study released in December 2018, the organization found that there are no significant standards gaps for IoT security protocols – every requirement can be met by an existing standard which exists for the many different elements of making a device, service or system secure. However, IoT actually refers to a complete ecosystem of more than just devices and services, and one in which scalability and interoperability considerably complicate the environment. Therefore, if the security protocols inherent in the device or service are not considered holistically, it is possible to deliver an insecure device to the market, even if it meets all of the existing individual security standards.
As the analysis suggests, a gap in standards exists only insofar as it is unclear what combination of standards, when applied to a product, service or system, will result in a recognizably secure IoT. The challenge for regulators and suppliers, of course, is to bring only secure IoT devices to the market and this requires a different approach, which will have to be flexible enough to accommodate for the nature of the dynamic IoT ecosystem.
The primary conclusion of the study is that standards are essential but not sufficient to ensure open access to markets. In the particular case of security, a large number of processes as well as technical standards have to be in place to ensure that any device placed on the market is assuredly secure.
Whereas a checklist of IoT security requirements and its mapping to specific standards can serve as a springboard towards holistic and effective IoT security, the report notes that the complexity of the IoT ecosystem calls for more flexible approaches. Not only are the underlying technological challenges calling for adaptive, context- and risk-based solutions, but also the IoT market constraints have to be taken into account, so as not to hamper competitiveness and innovation.
Ultimately, the processes recommended in the analysis are intended in part to engender a change in attitude towards device security by making secure IoT the only form of IoT that reaches the market and to give confidence to the market through a combination of certification, assurance testing & validation, and market surveillance.
If you are involved with implementing secure IoT devices, products and services, I think you will find this investigation to be interesting reading. The complete report is available for download by ENISA.