The Royal Academy of Engineering and the PETRAS Internet of Things research hub have called for greater coordination between the government, industry, system operators and the engineering profession to ensure adequate security around IoT devices in the future.
With IoT devices flooding the market and their numbers rising rapidly in UK homes, the Royal Academy of Engineering warned that if not secured properly, such devices could be used by cyber criminals to invade the privacy of people’s homes and to collect personal data of people without their consent.
Why is the security around IoT devices so important?
According to a report published by the Royal Academy of Engineering and the PETRAS Internet of Things research hub, while digital technologies used in industrial systems and consumer applications create many opportunities to realise economic, social and environmental benefits across business and society, any vulnerability in such technologies could have an equally negative impact on society.
“Cyber attacks on connected health devices are of increasing concern as they could have severe consequences on patient safety. Ever greater numbers of health devices have been identified as being potentially at risk, including pacemakers and MRI scanners,” the report warned.
“It is vital that we improve the level of technical and data literacy and skills to enable the public to become involved in reinforcing security in data and the Internet of Things. Ethical development of these emerging technologies is a collective responsibility for the whole of society, not just for those who are developing them,” said Professor Rachel Cooper OBE, Adoption and Acceptability theme lead at the PETRAS IoT Research Hub.
The report comes not long after Interpol warned that all IoT devices that are connected to the Internet are at risk of cyber attacks and that the threat from hackers has increased significantly in the past two years. Interpol has called for a multi-stakeholder approach which will allow law enforcement authorities to collaborate with the private sector to detect and investigate cyber attacks on IoT devices.
Interpol added that while police forces across the world are now developing the skills necessary to forensically examine computers and mobile phones, they are often not clear on how to collect evidence from IoT devices.
To hone their skills in conducting forensic analysis of IoT devices, Interpol conducts Digital Security Challenge contests every year, bringing together cybercrime investigators and digital forensics experts from across the world. This year’s challenge involved investigators identify the source of a malware that was injected into a bank’s systems through a compromised webcam.
What needs to be done to improve cyber security of IoT devices?
According to the working group, the government, along with regulators, organisations and their supply chains have to be continually responsive and flexible to the evolving nature of the challenges. While ensuring that IoT products are ‘secure by default’ is essential, manufacturers and the government need to take additional steps to improve cyber security as there is no ‘silver bullet’ solution to the problem.
These steps include creating mandatory risk management procedures for critical infrastructure which should serve as guiding principles for cyber risk management during design, operation and maintenance, transparency throughout the supply chain about the level of cybersecurity provided in products and services, an international agreement between governments and institutions that sets out an international baseline for IoT data integrity and security, and adoption of ethical frameworks that support ethical behaviours on IoT to help minimise risks to society.
“Connected systems underpin improved services, drive innovation, create wealth and help to tackle some of the most pressing social and environmental challenges. The reports we are publishing today identify some of the measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure on which much of our society now depends.
“We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly,” said Professor Nick Jennings, lead author of Cyber safety and resilience: strengthening the digital systems that support the modern economy.