EU security think tank ENISA looks for IoT security, can't find any
Proposes baseline security spec, plus stickers to prove thing-makers have complied
European network and infosec agency ENISA has taken a look at Internet of Things security, and doesn't much like what it sees.
So it's mulling a vendor's nightmare that the US and UK dared not approach: security regulation - at least the minimal regulation of testing and certification.
In a position paper published Monday, the group says there is “no level zero defined for the security and privacy of connected and smart devices,” no legal guidelines for IoT device and service trust, and no “precautionary requirements in place.”
In other words, to readers familiar with the woe The Register has chronicled over the years, it's an Internet of S**t.
The paper reckons IoT security needs bottom-to-top baseline requirements, from simple devices all the way up to complete systems (it cites connected cars and factories as examples of the latter).
Proposals in the paper include European Baseline Requirements for Security and Privacy (currently under development by the The Alliance for the Internet of Things Innovation, AIOTI), and the introduction of an EU “Trust Label” for IoT devices.
Also on the top-priority list:
- Standards and certifications – as well as the baseline, this includes interop testing, mandatory reference levels for trusted IoT solutions, the scalability of security controls and more;
- Security processes and services need to be evaluated and “adapted to IoT”.