The Internet of Things (IoT) has long been a game of rush-to-market, with production speed trumping security. The rapid adoption of these low-security devices however, puts consumers at risk of being victims of cyberattacks.
Securing millions of non-standard devices as disparate as home thermometers, smart TVs and cars is no trivial task. It can be easier if the devices have simple, stripped–down, ASIC (Application Specific Integrated Circuit) processors, but increasingly they contain full-fledged, powerful, modern, commodity, network-connected operating systems (OSes), with all the security problems these present. Or worse, they have older versions of those OSes, with no automatic updates and several years’ worth of well-known vulnerabilities.
Singapore’s push into smart homes and industrial IoT will see the public and private sector address challenges from collection of data through to automation of tasks. With more than 80% of Singaporeans living in public housing, various agencies are working with industry players to develop and test smart home solutions in Housing Development Board (HDB) estates. On the industrial front, A*STAR, Singapore’s lead public sector agency for economics-oriented research, announced a new Industrial Internet of Things Initiative.
As more sectors move toward digitalisation, security must be implemented carefully, rather than quickly, and as part of an in-depth “security-by-design” process, rather than the “we’ll address security in version 2” attitude that has led to the current IoT security mess. While it may not be recent, the DDoS attack on Starhub in 2016 through compromised devices owned by its customers serves as a warning that IoT security cannot be taken for granted. This is especially critical if smart home devices become the norm in public housing and when IoT becomes mainstream in Singapore.
The need for a greater focus on security-by-design becomes more apparent when we look at the number of connected devices that will be around in the next few years. Gartner predicts the number of connected devices will top 20 billion by 2020. Consumer devices are the main driver today and accounted for over 5 billion units in 2017; around 63 percent of the total. Businesses meanwhile are projected to use 3.1 billion connected devices by the end of this year.
For consumers, the main types of connected devices at risk will be vehicles, smart TVs, digital set-top boxes and the often overlooked home network router, while business use will be dominated by smart electric meters and commercial security cameras. As internet services, and IoT devices and systems gain wider adoption, the ability to keep rogue processes contained regardless of their origin is crucial.
One approach is to make each operating process mutually suspicious, containerised and separate from each other. This means that while two information systems need to rely upon each other to perform a service, neither trusts the other to properly protect shared data. However, development is slower than just bolting on a standard operating system like Linux or Android and shipping the product.
The good news is that there is coordination between the government and private sector to proactively protect our systems, as seen by the implementation of Singapore’s Cyber Security Bill. The owners of Critical Information Infrastructures (CII) – have to comply with codes of practice and standards of performance, conduct cybersecurity audits and risk assessments, and participate in cybersecurity exercises under the Bill. No action will be taken against CII owners for cybersecurity breaches if they comply with their obligations, but non-compliance will be an offence that will entail a maximum penalty of S$100,000, two years in jail, or both.
While such legislation and enforcement puts us at a good start, effective defence must remain available in the long term. Currently, the rate of adoption is still far outpaced by the number of new devices hitting the market with unknown security flaws and unproven patching abilities. This is where cyber security professionals need to work with developers and systems engineers to produce platforms that are effective and secure.
The same urgency for the security of key systems must be applied consistently. This means resources must be dedicated to defending against rogue threats on networks one might not think to look at. A hack into a non-critical industry may also mean easier entry into critical industries, due to interconnections between the two.
As the importance and popularity of IoT continues to escalate and people place more valuable information thereupon, scammers — and more hardened cybercriminals — will continue to look for new ways of attacking and compromising the swarm of devices which now surround us.
Nick FitzGerald, Senior Research Fellow, ESET