Last week SA Premier, Jay Weatherill, Veroguard Systems’ Co-CEO, Nic Nuske, and I addressed the media about the incredible global investment in IoT, (US$7 trillion in 2108), the huge growth of IoT globally, the economic opportunity that exists around the World’s fastest growing industry sector and finally the identity and security “black hole” at the centre of the Smart City/Building and IoT transformation.
After this press conference I travelled around Australia as usual discussing and designing existing projects and was asked by several of our clients why and how LVX is so transfixed with issues of enablement and cybersecurity over and above the myriad edge devices being proposed to our firm every day.
It is prescient that in the days following this press conference the U.S. Department of Commerce’s National for Standards & Technology, (“NIST”), released what is the most all-encompassing, broad and deep report to date on the global status of cybersecurity in IoT, the Draft NISTIR 8200 Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT).
This Draft Report identifies the 5 key areas of IoT and summarises all currently identified risks and threats, as well as the associated Standards Landscape:
- Connected Vehicles
- Consumer IoT
- Health IoT and Medical Devices
- Smart Buildings, and
- Smart Manufacturing
It was reassuring to see that every one of the points that LVX has for years now been highlighting for our many Smart City/IoT clients and projects was identified in the Draft Report.
It is also of great relevance that in opening, the Draft Report quotes from the US President’s National Security Telecommunications Advisory Committee, (“NSTAC”), that “…there is a small – and rapidly closing – window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
Highlighted in the Draft Report is that cybersecurity in a practical sense deals with 3 competing interests, (and their associated risks and threats), when it comes to IoT:
For the most part, in the developmental phase of IoT , emphasis has been on availability. As we at LVX routinely explain to our clients, the Draft Report identifies the beginnings of the IoT risk, “While traditional information systems generally prioritize Confidentiality, then Integrity, and lastly Availability, control systems and IoT usually prioritize Availability first, then Integrity and lastly Confidentiality.”
This fact, along with the pressures on time and cost in the fast moving “go to market” plans of IoT manufacturers, often combine with a poor understanding of the overall architecture and security environment within which a single device may operate, heighten this risk. To date many manufacturers have not considered their devices to be a likely target for hackers and cybercrime, (for example, smart bins), but as simple devices are aggregated into extremely large IoT networks with a wide variety of functions and increasing security levels, these simple devices all too often can act as the point of access to far more sensitive systems.
The draft report provides an excellent example of cybercrime activating through IoT devices:
“The proliferation and increased ubiquity of IoT components are likely to heighten the risks they present; particularly as cyber criminals work to develop new generations of malware dedicated to exploiting them. For instance, Dyn, a company that monitors and routes Internet traffic, was a victim of a DDoS attack in October 2016 that was launched from thousands of IoT components infected with the “Mirai” malware. The torrent of traffic unleashed by the Mirai-infected IoT components overwhelmed Dyn’s systems and, in turn, rendered unavailable many high-traffic websites (e.g., PayPal, Twitter, Netflix, and CNN) that used Dyn’s Internet services for substantial periods of the day. The disruption of Dyn and associated Internet services underscores the significant, systemic harm that may be caused by malware dedicated to exploiting the security vulnerabilities of IoT components.”
Welcome to the era of “Weapons of Mass Disruption”.
To close, it is refreshing that as an engineering firm that has maintained a dedicated team in the IoT and Smart City space since 2009 that agencies like NIST are seeing what we see and attempting to establish a set of global standards for IoT Cybersecurity. The Draft Report is a must read for anyone and everyone operating in or contemplating the IoT space.
It is a great time for all of us at LVX to be working so closely with global leaders in this space like Microsoft and VeroGuard to develop solutions that plug our clients’ cybersecurity gaps in terms of standards, risks and threats identified in the NIST Draft Report.
If you are looking to address the issues of Cybersecurity and IoT for your government, city, company or products, by all means reach out to LVX’s to discuss your needs with our specialists in this field.