The challenge of the Internet of Things

Both the Internet of Things (IoT) and operational technology (OT) have significantly changed our risk landscape. SWITCH-CERT uses its dedicated security expertise to support its customers.

Testo: Martin Scheu, pubblicato il 05.10.2020

IoT and OT devices are now an indispensable part of the university landscape. A Raspberry Pi here to perform small tasks, an oscilloscope there to pass on measurement data to a PC via the network. OT devices are typically used in building automation, such as for regulating the indoor climate and light, or for controlling and monitoring the power supply in a data centre.

From a security perspective, IoT devices don’t have the best reputation thanks to poorly implemented security features and a general lack of update possibilities – to name but a few criticisms.

Security by design

There are many reasons why security by design still has a long way to go in the IoT. Higher production and operating costs are often mentioned as the main reason. The fact that manufacturers are only making slow or no progress at all is linked to the lack of legal provisions. Greater security could certainly be achieved if such provisions were to be put in place, as was the case in the field of personal protection. Every device that is powered by electricity needs to be built so that there is no risk to the user when used correctly. Another example is airbags, for which legislators had made no provisions at the time of their introduction; it was purely technology driving their installation. Over time, airbags became state of the art and, thanks to continuous improvements, mass-produced items.

Lack of standardisation

The is also room for improvement in the area of standards and norms, as the ISO norm 27400.2, ‘Cybersecurity – IoT security and privacy’ is still in the making. The European Telecommunications Standards Institute (ETSI) covers the key points of IoT security in its technical specification ETSI TS 103 645. However, this document is not recognised as binding in the EU.

Delegated responsibility

The large number of OT and IoT devices places high demands on universities’ IT security departments. These teams, which usually have limited resources at their disposal, opt instead for direct responsibility. This means that the user is responsible for the security of devices, which involves installing security updates, creating backups and making sure that the necessary services can be reached externally. But the user is rarely a security expert themselves and as a result, outdated software versions, standard passwords and unnecessary services remain in use.

Centrally managed services, web servers and making databases available can help address this issue. However, centrally managed services aren’t always an option everywhere, as demonstrated by the ‘Immersive Arts Space’ tech/art-lab at Zurich University of the Arts. There, technologically supported, artistic engagement with immersion, virtual reality and simulation is being put into practice in various studies. Audio, video, virtual reality and drones form a whole and devices collaborate digitally. From a security perspective, neither the university’s network nor its servers should be compromised in the event of an attack on IoT devices.


Both the IoT and OT present new opportunities and flexibility for students and researchers. However, from a security perspective, they also create greater opportunities for attack. SWITCH-CERT grapples with this issue and supports its customers.

Martin   Scheu

Martin Scheu

Martin Scheu has been working for SWITCH since 2019. He deals with OT and industrial control systems security and is committed to ensuring that industry stays secure in Switzerland.



SWITCH-CERT is active in the field of OT network monitoring. OT networks are usually ‘blind spots’ on the network map that go unmonitored. Cost is one reason for this, as SMEs can’t afford expensive commercially available OT monitoring software. Together with ntop, SWITCH-CERT has developed an OT network traffic monitoring plug-in for the open source monitoring software ntopng.


Altri contributi