Q. Moving to an area of societal impact, how would you position security for a healthcare IoT system?
A. Like always, classification of devices plays a key role even in healthcare. In functional safety, there should be a minimum of 5 levels of safety to mitigate any sort of contingencies. In the case of existing vulnerabilities, the impact of these on safety and operational requirements of the system must be properly evaluated in case of connected systems.
In fact, medical devices need regulations; I am not aware of any such in India at this point of time. However, I have interacted with firms that develop medical devices and classify these, based on usages viz. Indian markets and global, at the factory level itself.
An illustration here would be the high-tech insulin pumps that communicate with doctors and accordingly injects insulin automatically. Imagine, if this system is compromised, it could also lead to overdose and ultimately loss of lives. The possibilities of ransomware also open up. Therefore, regulation of medical devices is an important requirement now.
Q. Finally, how do you define secure coding practices? How should engineers follow the standards introduced?
A. Firstly, I would like to re-iterate the fact that secure coding is now something new. Secure coding involves following a stringent programming practice. Implementation of secure systems demands a set of processes to be followed, and coding practice is just one of them.
Industries like aerospace and automotive are well versed with coding standards, applying it to the functional safety aspect. Let us consider an example, in the case of autonomous cars, GPS spoofing can be done to take control of the car and the impact of this security issue is on safety. So, you can now understand the relationship between safety and security.
I think that companies today need engineers who can come out with codes as per coding standards. Remember that languages such as C, C++ can be used in any way, to light a candle to blow up a building.
Depending on the product requirement and its operational impact on safety and security organizations should define the lifecycle process including security considerations. Engineers need to follow these process incorporating coding guidelines. Also ensure to test it for enhanced assurance, before the product release.