With India currently witnessing rapid penetrations by the small and medium enterprises (SME) that are often considered as ‘startups’, it is also imperative for engineers to design and develop the Industrial Internet-of-Things (IIoT) network that is completely secure; this can be accomplished by thoroughly understanding the nature of attacks that IoT networks are vulnerable to.
The SMEs (And startups) cannot choose to ignore top-class IoT security; key technology-driven decisions should be taken by owners of these enterprises with respect to deploying secure solutions. Now, to offer clarity on IoT security for entrepreneurs, Rahul R of ElectronicsForYou spoke with Faud Khan who is chief security analyst at TwelveDot Inc Canada. Faud possesses more than twenty years of experience in domains connected with IT security.
Q. Getting straight to security from an SME standpoint, what are the security-related aspects that engineers should incorporate while developing secure solutions?
A. The key aspect for engineers developing solutions for IoT networks is related with both design and threat modelling. When engineers are developing the product concept at the design stage, they should immediately look at incorporating security controls that minimize their product risk. The key elements here are deploying technical analysis such as ways & means through which the product could be abused by cyber-criminals. Since IoT comprises of multiple layers via the middle layer, cloud, and the device layer, engineers should understand individual components of an IoT system and evaluate vulnerabilities accordingly. These are the most fundamental aspects that budding engineers and entrepreneurs should keep in mind while developing non-complex security solutions.
Q. Continuing the above, what are the likely attacks that could plague SME IoT networks?
A. Firstly, we term the process of compromise as ‘weaponsing’. Since a lot of IoT devices have inherent vulnerabilities, these are easily open to attacks. In this scenario, weaponsing is achieved by cyber-criminals by compromising these systems to launch attacks such as Distributed Denial of Service (DDoS). DDoS along with Denial of Service (DoS) would fall into the category of most common attack types that SMEs could fall prey to. The key to protecting data is to understand the basic security infrastructure and analyse how it processes the data collected. Once this is achieved, layers of different access controls should be deployed. An illustration now would be a scenario wherein the system should be made to guard itself against scripting attacks. To accomplish this, engineers should test & validate the application and all server components. The code of the front end should be made secure, this holds true for databases as well. If the database takes SQL commands, engineers should ensure that external SQL commands cannot be injected into the system. Finally, encryption of the database should also be done at the communication and storage layers.
Q. Since you are well versed with the international IT security scenario, is there an international governing body that provides for regulation of IoT security?
A. Right now, there is no regulatory council that guarantees security, safety is typically required for specific regulatory groups. Specific domains have their own security and safety protocols. This is true of the current aviation and nuclear sectors that follow a group of closely-knit standards for their day-to-day activities. However, as far as the consumer sector is concerned, there are no safety standards overseen by international regulatory forums. Nonetheless, the industrial sector is subject to defined safety standards. The safety standards for industrial networks (IIoT) have to meet specifications laid out by governments.
Q. Since you have mentioned governments, any use cases you can share wherein governments have fixed specifications for network safety?
A. The European Union (EU) has been researching on an EU IoT Cyber Security 2020 policy, these contain an EU perspective about defining security and privacy for IoT. The United States (US) and Canada are yet to come out with similar ideas. Nonetheless, governments around the world follow various custom guidelines as far as setting cyber-security specifications are concerned.
Q. How do you view the IoT-centric research that is currently taking place in India?
A. It is definitely moving along on the right path. I think that the research scientists and the product companies have definitely understood the underlying cyber-security factors. This would definitely help the country at a juncture where smart cities are starting to get developed.
Q. Since you are optimistic about the research happening in India, how should engineers build industrial systems such that security is incorporated from the chip level itself?
A. Understanding the origin of the chip and components is the key to building the right security for systems, aspects such as potential compromises to the chip at the factory level need to be properly analysed and identified. Once chips are released, the monitoring and the run-time systems should be able to detect compromises before a system is developed on top of a chip.
Q. Finally, for sectors that have societal impact like healthcare, how should industrial systems be designed to incorporate maximum security?
A.For healthcare, the approach is a tad different considering the fact that devices here have personally identifiable information. Data security is the key. Data collection, processing and storage are the key three elements. Access permissions within IoT networks should also be carefully developed and distributed to official sources. On top of the above, engineers should understand the usable life of the data. If data is found to be unnecessary, or provides little value, this must be securely deleted. Â