Both the Internet of Things (IoT) and operational technology (OT) have significantly changed our risk landscape. SWITCH-CERT uses its dedicated security expertise to support its customers.
IoT and OT devices are now an indispensable part of the university landscape. A Raspberry Pi here to perform small tasks, an oscilloscope there to pass on measurement data to a PC via the network. OT devices are typically used in building automation, such as for regulating the indoor climate and light, or for controlling and monitoring the power supply in a data centre.
From a security perspective, IoT devices don’t have the best reputation thanks to poorly implemented security features and a general lack of update possibilities – to name but a few criticisms.
There are many reasons why security by design still has a long way to go in the IoT. Higher production and operating costs are often mentioned as the main reason. The fact that manufacturers are only making slow or no progress at all is linked to the lack of legal provisions. Greater security could certainly be achieved if such provisions were to be put in place, as was the case in the field of personal protection. Every device that is powered by electricity needs to be built so that there is no risk to the user when used correctly. Another example is airbags, for which legislators had made no provisions at the time of their introduction; it was purely technology driving their installation. Over time, airbags became state of the art and, thanks to continuous improvements, mass-produced items.
The is also room for improvement in the area of standards and norms, as the ISO norm 27400.2, ‘Cybersecurity – IoT security and privacy’ is still in the making. The European Telecommunications Standards Institute (ETSI) covers the key points of IoT security in its technical specification ETSI TS 103 645. However, this document is not recognised as binding in the EU.
The large number of OT and IoT devices places high demands on universities’ IT security departments. These teams, which usually have limited resources at their disposal, opt instead for direct responsibility. This means that the user is responsible for the security of devices, which involves installing security updates, creating backups and making sure that the necessary services can be reached externally. But the user is rarely a security expert themselves and as a result, outdated software versions, standard passwords and unnecessary services remain in use.
Centrally managed services, web servers and making databases available can help address this issue. However, centrally managed services aren’t always an option everywhere, as demonstrated by the ‘Immersive Arts Space’ tech/art-lab at Zurich University of the Arts. There, technologically supported, artistic engagement with immersion, virtual reality and simulation is being put into practice in various studies. Audio, video, virtual reality and drones form a whole and devices collaborate digitally. From a security perspective, neither the university’s network nor its servers should be compromised in the event of an attack on IoT devices.
Both the IoT and OT present new opportunities and flexibility for students and researchers. However, from a security perspective, they also create greater opportunities for attack. SWITCH-CERT grapples with this issue and supports its customers.