Two reports from the Royal Academy of Engineering reveal a critical need for systematic improvements in IoT security in key industries, and identify how this can been achieved. Andrew Hobbs and Sandra Vogel report.
Increasing connectivity between physical and digital systems brings with it increased risk. As the Internet of Things (IoT) pervades critical systems, such as those in the energy, financial, and healthcare sectors, it’s vital that the resilience of these systems is investigated and strengthened.
Rapid IoT adoption across all aspects of life and business is growing beyond the systems that secure these networks. That is not to say that suitable levels of security aren’t currently achievable, but simply that many businesses are taking a cavalier or underfunded approach to it.
Read more: Vendors, users ignoring IoT security in rush to market – report
The latest report from the Royal Academy of Engineering, titled Cyber safety and resilience – strengthening the digital systems that support the modern economy, calls for improved cybersafety and resilience.
Given that IoT security solutions are often industry-specific, the report focuses on the connected health devices sector to illustrate its arguments, citing the risk to the privacy and integrity of patient data.
It also recognises that the potential repercussions of a cyberattack or system failure should determine what measures and resource levels should be made available in response. This involves not only robust engineering, but also appropriate regulations and standards.
The organisation has also published a second report. The document, Internet of Things: realising the potential of a trusted smart world has been produced in partnership with the PETRAS Cybersecurity of the Internet of Things Research Hub, and was compiled by a group of experts from PETRAS and the Academy, chaired by Paul Taylor FREng, UK lead partner for cybersecurity at KPMG.
IoT & Cybersecurity: what needs to change?
The two reports have been formulated in response to the recent UK Government industrial strategy white paper, which stressed the opportunities presented by AI and the data-driven economy – highlighted as one four ‘Grand Challenges’ for UK industry.
One major vulnerability is the repurposing of hardware that was never intended to be exposed to an online environment. The Royal Academy of Engineering report explains:
Existing systems, such as industrial-based legacy systems, may not have been designed with security as a requirement, since they were never intended to connect to the internet. However, once connected, vulnerabilities that reside in individual components, or the systems that are created from these components, may become exploitable in a cyberattack.
While many sectors are developing frameworks, such as the government’s Cyber Essentials scheme and the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, this process needs to be accelerated and compulsory adoption considered in critical sectors.
The paper identifies five key messages and recommendations regarding IoT network security:
• Organisations need to be more aware of the vulnerabilities in components and other products provided by their supply chain and need to demand that products are ‘secure by default’.
• Stronger mechanisms are needed to ensure that cyber safety and resilience is maintained in all applications – both critical and non-critical – but there is no ‘silver bullet’.
• Many existing regulations are no longer fit for purpose as systems evolve and the threat level changes. Greater focus is needed on cybersafety and resilience. In future, regulations must integrate safety, security, and resilience, and protect consumers.
• The UK has world-class expertise in safety-critical systems that should be transferred to other sectors and applications.
• Methods for assuring complex systems of systems require further research.
The two reports suggest a range of solutions to these problems.
Among their recommendations are:
• Mandatory risk management procedures should be considered for critical infrastructure, aligned to industry standards. These should set out guiding principles for cyber risk management during design, operation and maintenance.
• Supply chain transparency: Cybersecurity policies should require that there is transparency throughout the supply chain about the level of cybersecurity provided in products and services.
• International ‘umbrella agreements’ on IoT: The UK government should work with other governments, institutions, and vendors, towards ‘umbrella agreements’ that set out an international baseline for IoT data integrity and security for all parties to adopt.
• Frameworks that are appropriate to support ethical behaviours in AI and the IoT should be developed and applied to help minimise the risks to society.
Internet of Business says
Despite their differences, industries in different sectors can learn from each other when it comes to cybersecurity and risk management. Potential impacts differ but, at systematic level, security approaches will be broadly similar.
Businesses and institutions must determine what level of resource is appropriate for their IoT security, depending on how an attack might scale and how it might affect its victims. For example, in the healthcare sector, critical wellness and life-support systems are particularly sensitive to this.
However, there is little objective record of the current security risks and potential impacts of connected health devices. Rectifying this is a crucial first step before preventative measures can be adopted. The same applies to other industries too. The security resource needs to be proportional to the level of risk.
This also affects the business case for implementing IoT solutions. For example, might the level of risk involved – and the cost of guarding against risk – outweigh the benefits of digitisation, or render it economically unviable?
Ignoring the security implications can have catastrophic results at the company level but, more importantly, at national or international level when an IoT network links critical infrastructures.
IoTBuild is coming to San Francisco, CA on March 27 & 28, 2018 – Sign up to learn all you need to know about building an IoT ecosystem.