Q. At a personal level, if you were to train embedded engineers on IoT security best practices, how would you go about this process?
A. For enterprises, we train engineers by assuming the role of attackers. Understanding the modus-operandi of cyber attackers is the key. Once a system has been attacked, glaring loopholes are then displayed to developers to improvise and cover the holes.
With this approach, analysis of the code written by developers also takes place. Here, enthusiasm amongst the embedded engineers is also at a peak. I would also let developers to fix the gaping holes (as stated above) by themselves via secure codes so that they are in a position to code securely.
Q. Finally, for a more generic sector like healthcare, how do you define IoT security from a researcher point of view?
A. For a sector like healthcare, embedded system engineers (the IoT engineering community) should remember that the data generated is extremely sensitive. Security solutions should be engineered keeping in mind the attack probabilities.
An illustrative scenario here, pacemaker data is vital for heart patients, in case there is a security breach, lives of patients are put at risk. There have also been instances where smart insulin monitors were breached resulting in irregular levels of insulin being monitored to patients. These illustrations only represent the seriousness for developing secure solutions for a sector having general societal impact.
There should also be security at the individual healthcare levels, such as at hospitals where enormous patient & medicine-related data is generated. As of now, the Indian smart healthcare scheme of things is still at a nascent stage. Therefore, engineers should constantly research on the practices employed by the developed economies and come up with appropriate solutions for the sector.