NCS3 Studie - IoT-relaterade risker och strategier

This study identifies and analyses risks related to the Internet of Things (IoT) and proposes strategies for countering them. The strategies, although primarily directed to MSB (Swedish Civil Contingencies Agency) and other authorities. The analysis is based on a study of the scientific literature and proceeded using a risk assessment framework. The elements included are protection values, vulnerabilities, attack vectors, risks, and strategies. The attack vectors are described at a deeper technical level and have been placed in an appendix. The conclusion is that MSB should: 1. Strive to attain risk management that directs preventative efforts against: a. vulnerabilities such as poor password management as well as physical exposure; b. information theft and other breaches of confidentiality, since these can be the first steps in an attack sequence that in the worst case threatens critical societal functions; 2. Recommend a conservative attitude, in terms of "security by design", so that products are delivered with secure passwords, and that units should not be connected unnecessarily. 3. Prioritise ordinary IT and ICS security work because it is in these domains that the relevant consequences are manifested. 4. Strive for transparency within IoT, where the purpose of being connected is communicated, and where information about incidents and vulnerabilities are shared without jeopardising commercial incentives. MSB should also try to contribute to a current overview of the potential vulnerabilities and which of them are actually exploited and actually result in serious consequences; as well as which actors are involved in, the attacks.