Security in a connected world
The IoT is taking the world by storm and by the end of 2016, it is predicted there will be 6.4 billion things connected worldwide creating a US$19 trillion global opportunity.
The far-reaching benefits of IoT are clear to all but the risks of this connectivity are high say security experts who spoke at Tech Innovation a yearly technology-industry brokerage event held in Singapore.
In an exclusive interview Future Ready Singapore learns more about online security trends that will shape the way future businesses operate from industry experts:
What are some of the foreseeable security challenges associated with the IoT?
Erel Rosenberg: Unlike conventional computer centres, "IoT lack physical security. IoT devices are located in public spaces with minimal security and therefore can be easily accessed by a combination of cyber and physical attackers.
This type of attack is still quite uncommon, simply due to the fact that most of IoT devices have a limited functionality and taking control over those devices offers very limited benefits for attackers. However, with the prevalence of nationwide concepts such as Smart Cities or Smart Nation, IoT devices will become more numerous and valuable. They will take a prominent place in critical infrastructures and hence become more attractive to cyber criminals.
Andreas Hauser: Early consideration of cyber security aspects in the development process will be necessary. The lack of relevant standards makes it difficult for companies to show that their claims are valid. This impacts the roll-out and scale-up of IoT-based solutions, even though the technology is ready.
Developing best practices and standards, which implies a consensus between the relevant international stakeholders, and incorporating them into regulations, would considerably facilitate the transfer of innovative IoT solutions into the market. However, the development process of standards and its incorporation into a regulatory framework needs also to be shortened to meet the short development cycles in the IT sector.
Cort Isenhagen: Security is almost always an afterthought. With IoT products, it is especially so because there is such a tremendous rush to market that device vendors are just trying to stay ahead of the competition, and their goal is just to make something that works, and sells, and then worry about security once they have got a successful product out ahead of the competition.
From a technology perspective, IoT devices present challenges for modern security approaches because many of them run on home-grown, custom operating systems that cannot support modern security software. Other components simply cannot handle the additional memory, compute, or power requirements. It will be a challenge to deploy software onto FPGA and ASIC devices, which are typically incorporated into missiles, motors, CT scanners, and industrial control systems. Modern security platforms are built for PCs and smart phones, not all the devices people are suddenly connecting to information systems and the internet.
How can businesses protect their IoT solutions and smart devices in an increasingly connected world?
Mark Baugher: Good companies should have compliance, not necessarily certification, with a set of policies and practices from a standard like ISO 27001, or the NIST CyberSecurity framework in the US, or a Secure Product Development Lifecycle.
A good business will document the risks at the corporate level and the interdependencies among IT, build and operations security at the product level. A business should look at their supplier's culture for inculcating good engineering and security practices. Our Singapore office, for example, has a cross-functional security team and a training program that includes courses such as computer security, network security, secure software programming and ethical hacking. The team uses social networking tools and reaches beyond the Greenwave team to include Singapore-wide meetups of security professionals and talks on current trends in digital security.
Cort Isenhagen: There are a variety of emerging trends that are helping secure IoT devices. Most of these approaches involve taking security approaches developed for traditional IT environments, and scaling these approaches down to work on devices with less compute, memory, and power consumption. There are however some truly novel approaches that are very exciting – a great example is power profiling, which is a method that measures the electrical power signals across a processor and uses deviations from typical power behavior to detect anomalies. There are two companies that have developed promising technologies for power profiling – these are PFP Cybersecurity and Virta Labs. This method could be an important factor in protecting IoT devices.
Andreas Hauser: Businesses should actively develop cyber security guidelines that demonstrate the requirements a product or solution should have. Developing these standards and best practices provides the company and their products with a certain level of cyber security protection. With regards to the design and development of products and solutions, companies should incorporate cyber security elements at an early stage, which is most effective in terms of protection as well as cost reduction in the long term.
They will also need to ensure that both security and safety requirements are properly tested before any implementation. With the increasing connectivity, it will also be crucial to ensure constant review of the state of the IoT devices and solutions to detect and respond to any form of attacks.
One example is the development process of Siemens automation products in terms of security, which has been certified by TUV SUD based on IEC 62443 industrial cyber security standards.
Is there a role for the government in accelerating the secure adoption of IoT in the region?
Erel Rosenberg: In many ways, cyber security should be taken into consideration concerning common infrastructure protection such as water, transportation or electricity. Although each individual company can try to solve the cyber security threats by itself, it is clearly not the most efficient way to handle this threat. We need to find a way to offer cyber security as a service, in the same way that electricity is. However, as we are talking about new technologies and new types of services, it is still unclear how to propose this type of service, as we still lack the experience, the standards and the technology to provide a simple solution to this problem.
Governments have two main roles: first to provide guidelines and information to businesses and manufacturers in order to help them to keep their IoT as secure as possible. The second role of government is enforcement. Policing needs to be extended to new threats, including new capabilities that are required to detect attacks over IoT infrastructure.
Subho Halder: IoT uses a whole lot of personal sensitive data and Personal Identifiable Information (PII), to process. In case of Smart Nation initiatives, IOT devices are used in handling sensitive data of residents of the city and the behavioural patterns determined by these devices, are the result of a Smarter Nation. One of the first steps to protect these data is to look at the Privacy Concern of these data, and for the Government to implement proper Personal Data Protection Act (PDPA) and Privacy Law.
The challenge here is to make sure governments are able to speak to the right kind of people to establish policies that protect the interest and privacy of users and at the same time should not be a major hindrance to businesses, else we will end up killing innovation.
Mark Baugher: The European Union is far ahead of the United States in legislation that protects citizen data from exploitation or abuse. The EU Data Protection Directive may not be a perfect law, or even a good one, depending on your point of view, but it does regulate digital data and thereby allows citizens to at least know how private their data are if not control it. Even weak legislation can be improved over time. There is a tendency for services from trans-national operators to comply with the most restrictive, most private jurisdiction; it’s cheaper and simpler to operate the service in a single way in all jurisdictions rather than changing policies at geo-political borders.
Of the variety of IoT technologies available now and in the foreseeable future, what excites you the most?
Erel Rosenberg: I think that V2V (Vehicle to Vehicle) and V2I (Vehicle to Infrastructure) technologies has the potential to change the way that we are driving providing efficiency and safety for drivers. While this technology is still in very early stage, the potential of this technology may be very high.
Subho Halder: IoT is a beginning of a bigger tech revolution in the near Future. What excites me the most about IoT is how we can use it in Medical Science to improve our quality of living. By leveraging the power of connected devices and communications along with Big Data Analytics the future looks promising and exciting.
Andreas Hauser: IIOT or AV since it will impact the normal day to day life of the citizens massively. Another area is wearables integrated with augmented reality used for medical purposes, which will disrupt healthcare as we currently know it.
Edited by Liew Hanqing and Tan Yi Xuan