Apostolos Malatras: A smarter device doesn't necessarily mean a more secure one
We should consider cybersecurity to be of paramount importance, otherwise we risk having a lot of vulnerabilitiesMaria Koleva , Brussels
Security of each object in the Internet of Things should not be considered as an afterthought, it should be implemented in the design phase. It is always better to take care of something when you start, in the beginning, than to solve problems after the implementation, said Dr Apostolos Malatras, expert in Network and Information Security with the Secure Infrastructure and Services Unit at ENISA, in an interview to Europost.
The importance of securing the Internet of Things was the topic of the ENISA-Europol conference held few weeks ago in The Hague. What were the main inferences from the discussions?
ENISA has organised this IoT security conference together with Europol. We have seen in the last few years a lot of new kinds of IoT objects, smart objects, in our daily lives. Most of the people are using smart phones, they have connected cameras in their homes and they are permanently used. Both ENISA and Europol have identified many security risks related to IoT and we joined our efforts to deal with the problems that have arisen from IoT. Last year we held the first conference and this year's event was double in size and topics discussed. Out of the main outcome of discussions these two days, we highlighted the fact that security of each object in the IoT should not be considered as an afterthought, it should be implemented in the design phase. It is always better to take care of something when you start, in the beginning, than to solve problems after the implementation. Therefore, the concrete result of the conference is that security is one of the main priorities, as with IoT we see connected stuff from different sectors - connected cars, connected hospitals, we even see connected toothbrushes.
What is the profile of the stakeholders?
Discussing cybersecurity at the IoT security conference we had different stakeholders - from policy makers, from the law enforcement community, from industry, from the security field, from academia, in order to address and discuss the problem at the round table in a 'holistic' manner. And we strongly advocate that cybersecurity is a shared responsibility - we bring all the people together and we come up with the solutions together. This doesn't means that there are not already solutions out there. ENISA has done great work during the last few years. In 2017 our agency published Baseline Security Recommendations for IoT, which had direct response worldwide - from the US, from Japan, from the whole of Europe, from the industry and the private sector alike. This study was complemented by an online tool that ENISA has created, which allows everybody to go there and define their specific needs and find practical suggestions how to improve their IoT cybersecurity. ENISA is very active in raising awareness on all challenges concerning IoT security, and actually, both agencies are strong about raising cybersecurity awareness across the supply chain, because at the end of the day, IoT is a broad ecosystem and everyone involved will have to work to address problems that might come up, not just the users. So collaboration, coordination between the two agencies, shared responsibility between all actors, related law enforcement actions, need for practical and economically viable IoT security solutions, are the directions that came out from the conference.
You mentioned 'connected toothbrushes' but can we seriously look at them in the cybersecurity context?
I gave such example at the conference: “If your toothbrush calls you, it might not be for dental hygiene.” It was a funny story, I bought one of these smart toothbrushes to my mum and I've spent a lot of time educating her how to use it. And one of the things related to smart devices, the underlying principle is the notion of trust. All these smart objects are talking to each other over the internet, that's why we call it Internet of Things. So, if I get a message from my toothbrush over the internet, in principle I trust that it is my toothbrush contacting me with information about dental hygiene. But this is based on a level of trust that we give, nobody can guarantee that it is my toothbrush. One can easily abuse this level of trust and send false messages, for example say to me that I have a problem with my teeth, and I will go to the dentist for nothing. The problem with these connected devices is to be able to trust them, and we are not there yet with this level of trust. There has been a lot of work, so we tried to promote security - and accordingly trust - across the ecosystem, but everything is connected and this large scale connectivity and complexity is making things very difficult.
What does for example ENISA do for raising citizens' awareness about cybersecurity?
This is one of the things in the Cybersecurity Months across Europe, where ENISA is co-organiser together with the European Commission and other partners on national and local level, such as local authorities, governments, universities, think tanks, NGOs and professional associations. Our aim is to raise as much as possible awareness on different topics of cybersecurity. This year, as it was in the last year's programme, one of the topics was dedicated to IoT. In October we accented on expanding the digital skills and education of citizens across Europe with the campaign 'Get cyber skilled'. Its goal was to support the advancement of cybersecurity education and skills to the next generation.
Learning modules for the campaign were created with European Schoolnet as part of the #SaferInternet4EU initiative launched earlier this year by Commissioner Mariya Gabriel. This initiative derives from the Digital Education Action Plan Priority that is developing appropriate digital skills and competences for the digital transformation. The modules were shared with teachers throughout Europe in order to design a programme for their classes. Key topics were password management, backing up data, privacy settings, and protecting against social engineering. ECSM is the European Union's annual awareness raising campaign dedicated to promoting cybersecurity among citizens and organisations, providing up-to-date security information through education and sharing of best practices. This year the motto of the event was: “Cyber security is a shared responsibility - Stop. Think. Connect.”
We have produced and disseminated many materials throughout Europe for supporting end-users and increasing their perception of security. The leaflets for example include tips such as how to handle passwords, how to avoid phishing attacks, or how to protect private information online. In the context of IoT, password attacks were among the biggest cyber-threats as identified in the ENISA Baseline IoT Security study. Boosting cybersecurity skills helps people to protect themselves better online.
What are the main mistakes that users of personal mobile devices make?
I would like to reverse a bit this question. It is not about making mistakes. It is about how to make people more aware of what to do so that they learn how to avoid potential problems in the future. And ENISA is trying to increase cybersecurity awareness among consumers, businesses and organisations around Europe. We work very much with the community and produce useful guidelines about how to increase the level of cyber 'hygiene' - the basics of cybersecurity that people can do in order to increase the level of security. How to identify which online sources to trust and which not to trust. Also how to avoid scamming online. It is very important information for the average users. We have a lot of activities on these topics with students and young people too, also for increasing their cybersecurity skills.
From what directions were the most serious cyber-threats in the last years, and what would be the risks when in 2020 the number of connected devices will be over 20 billion?
Let me clarify that in ENISA we are not collecting information about incidents or particular attacks. It is not in our mandate, others are doing that. I've already mentioned about our publication based on the input we received from our stakeholders, Baseline Security Recommendations for IoT, where we identified the most important threats arising from IoT.
Some of the threats highlighted there were weak passwords, malware, or malicious software being installed on the devices beforehand, or botnets. Maybe you remember the case of the Mirai botnet attacks two years ago, when a lot of IoT devices were exploited by malicious traffic to bring down parts of the internet. And of course, a very important threat that we identified in the report is the leakage of sensitive private information. Because most of these devices are consumer devices, and they collect information about our daily life, our patterns, and things that we are doing. So my device knows more about me than my mother knows. Every year, ENISA publishes a Threat Landscape for the previous year that provides an overview of threats, together with current and emerging trends. For instance, earlier this year ENISA launched a web application with information on the top 15 cyber-threats encountered last year.
Isn't it a paradox that while the electronic household appliances are becoming smarter, the consumers are becoming more and more vulnerable?
We have to distinguish the two things. When some device becomes smarter, this does not necessarily mean it becomes more secure. Security is something that has to be carefully considered from the design phase, when starting the process, and this will avoid vulnerabilities later on. In fact, becoming smarter, the appliances increase the possibility of vulnerabilities in the future. By becoming smarter, these devices talk to each other, they talk with devices that are outside of the ecosystem and collect a lot of information, and in some cases sensitive private data. But if we don't consider security to be of paramount importance, then we risk having a lot of vulnerabilities. The work we do with the stakeholders addresses these concerns.
Dr Apostolos Malatras is an Expert in Network and Information Security with the Secure Infrastructure and Services Unit at ENISA (European Network and Information Security Agency). He is the project manager for Internet of Things (IoT) and Smart Infrastructures. His portfolio includes Cyber Security of the IoT, Network Management and Smart Transport. With more than 15 years of experience in the industry, academia, and the European Commission, Dr Malatras has a broad experience in managing and securing network infrastructures and connected and intelligent devices. He is the author and co-author of more than 60 research papers and scientific reports and regularly gives presentations at various international fora.