IoT devices (Internet of Things) are increasingly introduced on the market without a basic security level. As a result, these could lead to vulnerabilities during their unknown lifespan. With this rapid proliferation of IoT, where physical objects are becoming smart and connected, threats are also no longer geographically bound and become more sinister with widespread repercussions for governments, businesses and everyday users. Therefore, it is pertinent to create an ecosystem that is secure from design to disposal; a challenge that requires a global approach. We propose an initiative that galvanizes global efforts to create a secure and safe cyberspace of things.

Objective

The objective of this initiative is to provide policy makers, regulators, executives, chief Information Security Officers (CISOs) with understanding and guidance in order to accomplish a more secure IoT environment. This initiative will leverage successful policies, good practices and practical solutions to solve the cross-domain and cross-functional challenges of IoT security.

The GFCE offers the right platform considering its global reach and the international collaboration between countries and private parties. The outcomes of this initiative also match the GFCE’s goal of identifying and disseminating good practices and multiplying these on a global level.

Relevance for the GFCE community

IoT has the promise of significant economic and social benefits for both developed and developing countries. It is crucial that these benefits are not undermined by poor security and a lack of available, effective and useful security policies. Through this initiative, members will be better able to address policy challenges in order to accelerate the growth of secure IoT in their countries.

The topic of IoT security was also considered relevant for the GFCE community in the Working Group on Cyber Security Standards (WG E).

Activities

IoT Security Roundtable

As a kick start event for this initiative, Singapore and the Netherlands organised the IoT Security Roundtable on the 18th of September 2018, prior to the GFCE Annual Meeting in Singapore, in conjunction with SICW (Singapore International Cyber Week). Next to exchanging current IoT security good practices, presentations and a panel discussion will focus on the priority areas for IoT security.

The GFCE Annual Meeting in Singapore will provide the opportunity to exchange views on the initiative and declare interest of joining the initiative.

Start of Initiative

  1. Committed countries and companies seek consensus on the scope, outcome and work methods of the initiative.
  2. Partners will identify the main challenges and gaps for enhancing IoT security and establish focus areas; we propose as a priority three focus areas: A) IoT evaluation and certification regime(s) – covering a.o. a shared understanding of the various schemes and their application areas, the lack of appropriate schemes and harmonisation. B) Trusted supply chain -  covering a.o. the various ecosystems; from consumer goods to innovative industry sectors (smart mobility/automotive and smart health). C) Trusted identity – covering a.o. hardware security solutions e.g. unique device IDs.

Special Interest Groups  (2019)

  1. Formation of Special Interest Group (SIG) for separate focus areas, with representation from government agencies, industry and research.
  2. As each SIG is different in scope, they will have flexibility to define their own working method and targets.
  3. All SIGs engage in an open dialogue with leading international experts, hold workshops and report back to the other SIGs and the GFCE WGs.
  4. All SIGs will report end of 2019 (by preference the GFCE Annual Meeting) and identify the in-depth activities for the year 2020.

Special Interest Groups and finalisation (2020)

  1. Continued work of SIGs and reporting end of 2020 to the GFCE Annual Meeting.

Outcome

This initiative will leverage successful policies, good practices and practical solutions to solve the cross-domain and cross-functional challenges of IoT security, made available for GFCE members.

Depending of the focus area of each SIG the outcome can entangle different results, e.g. (not exhaustive):

  • Developing a ‘good practice guide’ in close cooperation with the GFCE WG on cyber security standards (WG E);
  • Developing a ‘strategy paper’ for policy makers, including principles, measures and policies on a national level to foster IoT security across the entire lifecycle;
  • A call to start triple-helix partnership between governments, research and industry to collectively tackle IoT cyber security in specific supply chains in industry sectors;
  • A call to develop specific lacking technical references and standards.

Indication of Interest

The Cyber Security Agency of Singapore (CSA) and the Ministry of Economic Affairs and Climate policy (EAC) are keen to work with like-minded partners to carry out this initiative as founding members. Interested GFCE members and partners may contact the following persons:

Mr. Calvin Ng.

Deputy Director, Technology Division

Cyber Security Agency of Singapore

calvin_ng@csa.gov.sg

Thomas de Haan

Policy Coordinator, Ministry of Economic Affairs and Climate Policy, the Netherlands

t.s.m.dehaan@minez.nl

The initiative is supported by TNO, point of contact

Dr Mark van Staalduinen

Deputy Director

TNO Singapore

Mark.vanStaalduinen@tno.nl