IoT Cyber, Frameworks, Standards and the path to greater awareness

By Pete Stoddart and Steven O’Sullivan

Smart Cities Cyber: Part 3

Following on from Part 2 in our ‘Smart Cities Cyber’ series, this article looks at the wider Internet of Things (IoT) landscape, including consumer, as well as the Industrial IoT (IIoT) and the associated Industry Control Systems (ICS).

We augment this with an overview of the current and evolving plethora of IoT cyber frameworks and associations that are working on developing these standards. We finish by providing a simple checklist on what you could do to help bring about an improved awareness of IoT Security in the context of a Smart City.

If you are working on Smart City programmes, this article should help you consider cyber security in the context of your Smart City and provide you with some further sources of reading.

Reading time: 5-8 mins.

The number of connected things in use globally will surge from 8.4 billion in 2017 to 20.4 billion by 2020, with total spending on endpoints and services exceeding $2 trillion1.

Smart Cities and their infrastructure respond intelligently to changes in their environment including user demands and other infrastructure, to achieve improved performance (Royal Academy of Engineering). Data is at the heart of this with smart systems utilising a feedback loop that informs decision making.

Smart Cities therefore rely on the IoT, which is the extension of the Internet to physical objects to provide this data. Their connection however whilst providing the smart cities with the important data has subsequently made them vulnerable to cyber-attacks.

Additionally, IoT devices are often constrained in terms of resources (energy, computing power, and memory), physical environment, and cost, such that traditional IT security mindsets cannot be applied directly. IoT devices may run without supervision and for extended periods of time, possibly in hostile environments – making them particularly susceptible to hacking. Many might have zero or limited user interfacing; thus, patching and updating may not be convenient and malfunctioning or rogue devices may not be immediately detectable. This leads to the following risks occurring:

– Consumer security, privacy and safety are undermined by the vulnerability of individual devices.

– The wider economy and critical infrastructures face an increasing threat of large scale cyber-attacks launched from large volumes of insecure IoT devices. In countries and in smart cities where cyber is still evolving this could have a massive impact.

One area that is currently a topic of significant research is that of the security of voice-activated digital assistants. Recent studies have identified new attack vectors including “voice squatting” or “voice masquerading” in which hackers assume control of voice-controlled applications.

According to ABI Research, at this moment less than 4% of IoT devices are secure by design2. The real-life incidents depicted in Figure 1 below emphasise the urgency of improving IoT security. For IoT to be successful, useful and acceptable, the hazards that come with the wide-spread use of IoT must be managed to risk levels acceptable for society.

It is important to distinguish between consumer IoT and Industrial IoT. The consumer IoT includes a plethora of consumer items ranging from: cars, smartphones, to remote home heating and lighting. They require a communications network, i.e. Wi-Fi, broadband or 4G (and 5G when deployed). Finally, they require a computing system to make use of the data including the storage, applications and analytics.

Industrial IoT (IIoT) include the Industrial Control Systems (ICS) and the Supervisory Control and Data Acquisition (SCADA) that control them. The Cyber Security Body of Knowledge (Reference) refer to these as Cyber Physical Systems (CPS). These include elements of critical national infrastructure including power generation and distributions, transportation systems, ground, sea and air vehicles, robotics and advanced manufacturing and medical devices.

Within the traditional field of IT Cyber Security has been concerned with Confidentiality, Integrity and Availability- yet in relation to IIoT yet another factor, that of safety and resilience, must be considered.

What’s the big deal around IoT and security?

Critical infrastructuresites affected

Large scale power grid crashed

Multi kilotonpipeline explosion

Hospital breaches via medical devices

Cars digitally stolen & remotely crashed

1 There are nascent regulations Euro Standard Org ETSI and TS103 645 which provide a system baseline for consumer IoT, together with the Internet Task Force IETF and their manufacturing Usage Description (MUD).

From this we have set the following hypotheses based upon work done by:

1. IoT or better said IIoT is by definition vulnerable – IoT is a network of physical devices using open network standards and software. Often these were never designed to be connected to the IoT and are were used more in Operational Technology (OT)

2. IoT devices are deployed fast, on a global scale and with unknown lifespan – IoT is one of the main drivers of innovation in today’s world and, owing to the almost borderless digital economy, IoT solutions are developed for a global market. As a result, the pace of technology development is high and competition is fierce. At the same time, product lifecycles may be long, and devices can be used for a longer period than intended by the manufacturers.

3. No level playing field for IoT device manufacturers1 – Owing to the lack of legislations and the differences in legislative environments in different countries, there is no level playing field for vendors nor a common expectation of security functionality. From a Smart City perspective this makes the risk even greater.

Challenges posed by Smart City IoT

4. Cyber threats are multiplied- With the proliferation of IoT devices in smart cities, attackers now have countless entry points available to compromise a city’s systems. Making matter worse, many cities have chosen to deploy IoT sensors on top of existing systems. One example is sensors on established gas and water systems that are in turn connected to broader networks for data aggregation and analysis. Unfortunately, these sensors often have minimal security capabili-ties, and minimal ability to be upgraded over time as vulnerabilities are uncovered.

5. Accepted standards and frameworks: Another challenge is the lack of generally accepted standards governing the functioning of IoT-enabled devices. Even within the same city, various agencies and departments can select IoT devices from different vendors that use different com-munications protocols, different security models and generate data in different format. The out-come is that cities face a trade-off between interoperability and security. Fundamentally, every new device added to an IoT ecosystem adds a new attack surface or opportunity for malicious attack.

6. Lack of security in the IoT business equation – Time-to market, usability and cost are key considerations for many solutions, and the razor-thin margins for these devices leave manufacturers with less to spend on security with virtually no incentive. Indeed, an attack on a device may affect neither the manufacturer nor the user but heavily impact a third party target in a botnet scenario. Standards are being produced which can only a good thing, and which will lead to the risks be reducing.

7. Lack of IoT security awareness – Vulnerable IoT devices are deployed fast, globally and with unknown lifespan, while a level playing field on common standards and technical solutions for cybersecurity in IoT is lacking for the industry. This creates safety, environmental and social hazards that are not well understood and likely to be unacceptable for society.

The Cloud Security Alliance (CSA)5, outline some cyber security core basics as per below:

Strong cryptography to protect data, both at rest and in transit: All wired and wireless communications (data in transit) should be properly protected with strong encryption. Systems dealing with sensitive data should provide a mechanism to encrypt data at rest.

Authentication capabilities: All systems should require a username and password to access functionality, at a minimum. To enhance authentication capabilities, the solution should support strong authentication mechanisms (one-time passwords, certificate- or biometric-based authentication, etc.).

Authorisation capabilities: All functionality should require and enforce proper permissions before performing any actions.

Automatic and secure update of software, firmware, etc.: Software/firmware update mechanisms should be available, and updates should be delivered in an automatic and secure way.

Smart city solutions should be expected to comply with basic security requirements such as:

Auditing, alerting, and logging capabilities: All systems should provide mechanisms for auditing and logging security events. Logs must also be saved securely against tampering.

Anti-tampering capabilities: Devices should have a mechanism to prevent tampering by unauthorized sources.

No backdoor/undocumented/hardcoded accounts: Some vendors release systems with backdoor/undocumented/hardcoded accounts. Often, these accounts cannot be removed or disabled and have passwords that cannot be changed, allowing anyone to compromise the system using these accounts. Removing or disabling these accounts should be enforced in the service-level agreement (SLA) to ensure vendors will comply.

Non-basic functionality disabled by default: Only basic functionality should be enabled by default, and the rest should be enabled depending on the organization’s needs.

Fail safe/close: In the case of a system malfunction or crash, the system should remain secure and security protections remain enforced.

Secure by default: Solutions should come with a secure configuration by default.

If you are working on securing your Smart City project what should you do?

1

2

3

4

5

6

A Google search for IoT Security will return many hits from a vast array of organisations. Indeed, this is growing day by day and organisations and think tanks of all sizes start to create copy based on new findings, research and indeed actual attacks.

Seek collaboration. Join local groups such as Meetup where likeminded people get together network, chat, present and share their experiences. The IoT Security Institute6 operates such a network, and if one does not exist in your city, they will help you to setup and create and even advertise the event. SA Group are the lead for the Riyadh Chapter.

Ensure you adopt a secure by design approach: This is essential as out of the box many devices and sensors may not be. The CSA guidelines above are just one source. Seek out and defined your own based upon best industry papers and research.

Trained and aware people: Without these are all levels mistakes can happen leaving you vulnerable. Many organisations such as SANS, are now offering ICS based courses and others are starting to offer IoT Security ones (Udemy, Coursera, Cybrary).

Standards and frameworks: Seek out those organisations that are working to make better standards, look for evolving frameworks, and get involved. The GSMA provide some excellent guidance for all areas here7.

Vendors: Ask and push your vendors to demonstrate that security is factored into their designs and that patching will be carried out should exploits become known.

Academia and State: Ensure you are connected to these institutions that are working on developing thought leadership and state requirements. This is vital in the context of an evolving nation where you are mandated to adopt their cyber standards.

As a cyber professional what can I do?

Having discussed the many definitions and the wide ranging bodies all looking at IoT, it can be seen just how fragmented and dynamic this area has become. In terms of Smart Cities, these are being developed fast and quick and if we add the “S” to IoT it shows even more the need to consider the implications of a cyber-attack.

In this paper, we have highlighted important security considerations for the selection and operation of smart city technologies.

Organisations migrating their operations and services to a smart city scale need to be aware of the risk and work being done to provide appropriate standards and frameworks. In the future, numerous cyber threats are expected to plague smart cities. At the same time, tolerance to cyber damage is minimal, in a smart city “one is too many.”

This paper has sought to provide some useful insights and guidelines that can help your organisations work towards a certain level of assurance and bring trust to operations and services.

Conclusion

2The Internet of Things Security Institute is an academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things eco-system. In addition, we are the authorised certification body for the SCCISP certification.

Sources:

1. Gartner: https://www.gartner.com/newsroom/id/3598917

2. IoT Security from Design to Lifecycle Management, An Embedded Perspective; ABI Research, 2018

3. ENISA: Terms of Reference for the ENISA Internet of Things (IoT) Security (IoTSEC) Experts Group

4. The IoT Security Landscape: Cyber Security Agency of Singapore Ministry of Economic Affairs and Climate Policy of the Netherlands, September 2019 Dr Mark van Staalduinen Yash Joshi

5. Cloudsecurityalliance.org: Cyber Security Guidelines for Smart City Technology Adoption.

6. IoT Security Institute: https://iotsecurityinstitute.com

7. GSMA IoT Security: https://www.gsma.com/iot/iot-security/iot-security-guidelines/

For reference and more information, please see the following:

SA Group is a Cyber Security, P3M and Technical consultancy working in vital and highly complex Public Sector and Commercial markets. We specialise in helping clients in technical and digital environments scope and deliver against their complex challenges.

| 03333 583340| info@sa-group.com| www.sa-group.com