Guide: Security measures for IoT product development

The European Union Agency for Cybersecurity (ENISA) released its Guidelines for Securing the IoT, which covers the entire IoT supply chain – hardware, software and services.

guide security iot

Supply chains are currently facing a broad range of threats, from physical threats to cybersecurity threats. Organisations are becoming more dependent than ever before on third parties.

As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Today, organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed than ever before.

“Securing the supply chain of ICT products and services should be a prerequisite for their further adoption particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT,” said Juhan Lepassaar, Executive Director, ENISA.

In the context of the development of the guidelines, ENISA has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. The publication analyses the different stages of the development process, explores the most important security considerations, identifies good practices to be taken into account at each stage, and offers readers additional resources from other initiatives, standards and guidelines.

As in most cases pre-prepared products are used to build up an IoT solution, introducing the concept of security by design and security by default is a fundamental building block to protect this emerging technology. The agency has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices.

These guidelines to help tackle the complexity of IoT focus on bringing together the key actors in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.

NIST guide to help orgs recover from ransomware, other data integrity attacks

The National Institute of Standards and Technology (NIST) has published a cybersecurity practice guide enterprises can use to recover from data integrity attacks, i.e., destructive malware and ransomware attacks, malicious insider activity or simply mistakes by employees that have resulted in the modification or destruction of company data (emails, employee records, financial records, and customer data).

guide recover ransomware

About the guide

Ransomware is currently one of the most disruptive scourges affecting enterprises. While it would be ideal to detect the early warning signs of a ransomware attack to minimize its effects or prevent it altogether, there are still too many successful incursions that organizations must recover from.

Special Publication (SP) 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events can help organizations to develop a strategy for recovering from an attack affecting data integrity (and to be able to trust that any recovered data is accurate, complete, and free of malware), recover from such an event while maintaining operations, and manage enterprise risk.

The goal is to monitor and detect data corruption in widely used as well as custom applications, and to identify what data way altered/corrupted, when, by whom, the impact of the action, whether other events happened at the same time. Finally, organizations are advised on how to restore data to its last known good configuration and to identify the correct backup version.

“Multiple systems need to work together to prevent, detect, notify, and recover from events that corrupt data. This project explores methods to effectively recover operating systems, databases, user files, applications, and software/system configurations. It also explores issues of auditing and reporting (user activity monitoring, file system monitoring, database monitoring, and rapid recovery solutions) to support recovery and investigations,” the authors added.

The National Cybersecurity Center of Excellence (NCCoE) at NIST used specific commercially available and open-source components when creating a solution to address this cybersecurity challenge, but noted that each organization’s IT security experts should choose products that will best work for them by taking into consideration how they will integrate with the IT system infrastructure and tools already in use.

guide recover ransomware

The NCCoE tested the set up against several test cases (ransomware attack, malware attack, user modifies a configuration file, administrator modifies a user’s file, database or database schema has been altered in error by an administrator or script). Additional materials can be found here.

Internet Impact Assessment Toolkit: Protect the core that underpins the Internet

The Internet Society has launched the first-ever regulatory assessment toolkit that defines the critical properties needed to protect and enhance the future of the Internet.

Internet Impact Assessment Toolkit

The Internet Impact Assessment Toolkit is a guide to help ensure regulation, technology trends and decisions don’t harm the infrastructure of the Internet. It describes the Internet at its optimal state – a network of networks that is universally accessible, decentralized and open; facilitating the free and efficient flow of knowledge, ideas and information.

Critical properties of the Internet Impact Assessment Toolkit

The five critical properties identified by the IWN are:

  • An accessible infrastructure with a common protocol – A ‘common language’ enabling global connectivity and unrestricted access to the Internet.
  • An open architecture of interoperable and reusable building blocks – Open infrastructure with a set of standards enabling permission-free innovation.
  • Decentralized management and a single distributed routing system – Distributed routing enabling local networks to grow, while maintaining worldwide connectivity.
  • Common global identifiers – A single common identifier allowing computers and devices around the world to communicate with each other.
  • A technology neutral, general-purpose network – A simple and adaptable dynamic environment cultivating infinite opportunities for innovation.

When combined, these properties form the unique foundation that underpins the Internet’s success and are essential for its healthy evolution. The closer the Internet aligns with the IWN, the more open and agile it is for future innovation and the broader benefits of collaboration, resiliency, global reach and economic growth.

“The Internet’s ability to support the world through a global pandemic is an example of the Internet Way of Networking at its finest,” explains Joseph Lorenzo Hall, Senior VP for a Strong Internet, Internet Society. “Governments didn’t need to do anything to facilitate this massive global pivot in how humanity works, learns and socializes. The Internet just works – and it works thanks to the principles that underpin its success.”

A resource for policymakers and technologists

The Internet Impact Assessment Toolkit will serve as an important resource to help policymakers and technologists ensure trends in regulatory and technical proposals don’t harm the unique architecture of the Internet. The toolkit explains why each property of the IWN is crucial to the Internet and the social and economic consequences that can arise when any of these properties are damaged.

For instance, the Toolkit shows how China’s restrictive networking model severely impacts its global reach and hinders collaboration with networks beyond its borders. It also highlights how the US administration’s Clean Network proposal challenges the Internet’s architecture by dictating how networks interconnect according to political considerations rather than technical considerations.

“We’re seeing a trend of governments encroaching on parts of the Internet’s infrastructure to try and solve social and political problems through technical means. Ill-informed regulation can drastically alter the Internet’s fundamental architecture and harm the ecosystem that supports it,” continues Hall. “We’re giving both policymakers and Internet users the information and tools to make sure they don’t break this resource that brings connectivity, innovation, and empowerment to everyone.”