Current Indian scenario demands us to start considering all the possibilities of intense and newer cyber-attacks, the reason being the increased penetration of smart technologies, notably the Internet-of-Things (IoT), Artificial Intelligence (AI), Machine Learning (ML) and Deep Learning. The need of the hour is to develop and implement secure codes in tandem with ensuring best practices using standard models in all critical systems.
Deepu Chandran, Senior Technical Consultant at LDRA Technology – India, shares his expertise on secure coding, safe code testing and IoT standardisation & implementation, over a candid chat with Rahul R of Electronics for You (EFY).
Q. Firstly, when it comes to industrial safety, have you personally got to check out instances wherein nuclear systems have been compromised? What steps did IoT engineers take to mitigate these risks?
A. Nuclear systems are highly sensitive and protected, we do not get much information on an attack usually. But, to generalise when it comes to safety we have come across instances where proactive measures have been taken. This naturally leads to lowering the risk level for safety.
But as a suggestion, as far as mitigation of risk is concerned, engineers in expert teams should properly define functional safety and security. The risks are classified into different levels; for business needs, there are business risks; for operations level, functional level, security perspective.
In the case of Industrial IoT (IIoT), I think there is no installation in India were IIoT is used, it is worth noting that the legacy is very less. Therefore, we need to bring in expertise from other core domains. In fact, in India, we have experts in functional safety which can be used for implementing a risk assessment process. Once this is done, the exact risk can be identified to properly plan mitigation activities.
Also, implementing mitigation activities during the different stages of the lifecycle of products also plays a major role in developing safety and security for IIoT.
Q. The above were detailed insights, however, could you offer simple tips for engineers for secure coding whilst mitigation of risks, and how to integrate these practices at the design level itself?
A.I would recommend that security best practices and principles are best incorporated starting straight from the requirements level itself. Today, when we look at sectors such as aerospace, drilling down to the exact processes followed during the developmental life cycle becomes easy during an incident/accident. This is vital in case of determining the root causes of incidents.
As the process is simple and not taxing, it can be followed for the security applications as well. In these scenarios, classifications of safety and criticality levels within systems are vital; post this, processes should be defined for each level. Even though there are generic frameworks for industrial systems, engineers should be wise enough to judge and predict the exact workable frameworks for their products. The key here is to follow a drill-down approach addressing security in each stage.
Q. When we delve into the latest industrial buzzword which is Industry 4.0, there would naturally be requirements for ‘smarter’ security, how do you think that smart technology can be leveraged towards developing smart security for smart industrial systems?
A. I would say that Industry 4.0 is 50% the buzzword considering past trends. Today’s researchers and IoT solution providers are gearing up with maturity levels to deal with the situation. This may help over a time period to come up with reference models for Industry 4.0 security. We should wait for Industry 4.0 standard products to hit the market so that the ground realities are evaluated properly.
At this point in time, the buzzword is patenting of prototypes and technology before the actual launch of products. Therefore, products should first be launched to identify the degree of security risks associated with that particular offering. I feel that security research with respect to Industry 4.0 will take the time to mature. What matters is the device-level security research, for this, we need to wait a tad longer.
Q. Moving to an area of societal impact, how would you position security for a healthcare IoT system?
A. Like always, classification of devices plays a key role even in healthcare. In functional safety, there should be a minimum of 5 levels of safety to mitigate any sort of contingencies. In the case of existing vulnerabilities, the impact of these on safety and operational requirements of the system must be properly evaluated in case of connected systems.
In fact, medical devices need regulations; I am not aware of any such in India at this point of time. However, I have interacted with firms that develop medical devices and classify these, based on usages viz. Indian markets and global, at the factory level itself.
An illustration here would be the high-tech insulin pumps that communicate with doctors and accordingly injects insulin automatically. Imagine, if this system is compromised, it could also lead to overdose and ultimately loss of lives. The possibilities of ransomware also open up. Therefore, regulation of medical devices is an important requirement now.
Q. Finally, how do you define secure coding practices? How should engineers follow the standards introduced?
A. Firstly, I would like to re-iterate the fact that secure coding is now something new. Secure coding involves following a stringent programming practice. Implementation of secure systems demands a set of processes to be followed, and coding practice is just one of them.
Industries like aerospace and automotive are well versed with coding standards, applying it to the functional safety aspect. Let us consider an example, in the case of autonomous cars, GPS spoofing can be done to take control of the car and the impact of this security issue is on safety. So, you can now understand the relationship between safety and security.
I think that companies today need engineers who can come out with codes as per coding standards. Remember that languages such as C, C++ can be used in any way, to light a candle to blow up a building.
Depending on the product requirement and its operational impact on safety and security organizations should define the lifecycle process including security considerations. Engineers need to follow these process incorporating coding guidelines. Also ensure to test it for enhanced assurance, before the product release.
