Have you updated your lightbulb?

Have you updated your lightbulb?: Solving IoT vulnerabilities through governance

de Roon, Tom (TU Delft Technology, Policy and Management; TU Delft Organisation and Governance)

Parkin, S.E. (mentor)
van Eeten, M.J.G. (graduation committee)
Ubacht, J. (graduation committee)
Krenn, R. (graduation committee)

Delft University of Technology

Complex Systems Engineering and Management (CoSEM)

2021-07-19

Connecting ‘things’ like a doorbell, webcam, lamp, or other objects to the web to provide a service or control is called the Internet of Things (IoT). These devices contain vulnerabilities that form risks for the device user and possibly the network owner through their heterogeneity. The identified knowledge gap is the need for more IoT governance but no specification on governance options and means to reach specific stakeholders. Using a dataset of network scan data of The Hague as the empirical context for the defined knowledge gap, this research aims to look into the vulnerabilities IoT devices carry, and then look into relevant stakeholders to see what they can do through governance and why they are not doing this. To answer the main research question: How can the municipality of The Hague use governance instruments to decrease cyber vulnerabilities in IoT devices?
Using a literature study to define IoT concepts and the governance of IoT and current governance examples, background information is provided for the rest of this research. The database of 1649 IP addresses of network scan data from the area of The Hague is then used to find what vulnerabilities are present and what stakeholders are identifiable from this data. Exploring this network scan data showed only 191 devices are fully identifiable from the total number of IP addresses. These devices all carry vulnerabilities for the user of these devices, and being visible is by itself a vulnerability. No device owners could be directly identified, only the providers of the networks these devices are found in. This results in the identifiable stakeholders from the dataset: ISPs and device manufacturers.
Governance options are defined for these stakeholders (e.g. security-by-design, informing users etc.). These options are assessed on viability and validity through semi-structured interviews with three ISPs and the municipality.
The conclusion found is that the most viable action to take is informing device users since secure configuration and usage of a device would take away vulnerabilities while waiting for European legislation to be implemented. This legislation will force more security-by-design. The recommendation for the municipality is to take the role of leading actor, provide a better problematization with the data available, and use this to generate more urgency with other stakeholders. Starting public-private partnerships (with ISPs, device vendors, universities, other municipalities: different perspectives to progress the problem) and starting information campaigns and therefore try to reach as many people as possible. Even though ISPs can not provide in reaching vulnerable users directly, they can help in general information campaigns. Increasing security practices on the user side while waiting for legislation on the manufacturer's side.

internet of things
IoT
Cybersecurity
stakeholders
interviews
qualitative
The Hague
governance

http://resolver.tudelft.nl/uuid:2e362af9-d32e-42b0-ada0-8b995fcb140e

Student theses

master thesis

© 2021 Tom de Roon