Current Indian scenario demands us to start considering all the possibilities of intense and newer cyber-attacks, the reason being the increased penetration of smart technologies, notably the Internet-of-Things (IoT), Artificial Intelligence (AI), Machine Learning (ML) and Deep Learning. The need of the hour is to develop and implement secure codes in tandem with ensuring best practices using standard models in all critical systems.
Deepu Chandran, Senior Technical Consultant at LDRA Technology – India, shares his expertise on secure coding, safe code testing and IoT standardisation & implementation, over a candid chat with Rahul R of Electronics for You (EFY).
Q. Firstly, when it comes to industrial safety, have you personally got to check out instances wherein nuclear systems have been compromised? What steps did IoT engineers take to mitigate these risks?
A. Nuclear systems are highly sensitive and protected, we do not get much information on an attack usually. But, to generalise when it comes to safety we have come across instances where proactive measures have been taken. This naturally leads to lowering the risk level for safety.
But as a suggestion, as far as mitigation of risk is concerned, engineers in expert teams should properly define functional safety and security. The risks are classified into different levels; for business needs, there are business risks; for operations level, functional level, security perspective.
In the case of Industrial IoT (IIoT), I think there is no installation in India were IIoT is used, it is worth noting that the legacy is very less. Therefore, we need to bring in expertise from other core domains. In fact, in India, we have experts in functional safety which can be used for implementing a risk assessment process. Once this is done, the exact risk can be identified to properly plan mitigation activities.
Also, implementing mitigation activities during the different stages of the lifecycle of products also plays a major role in developing safety and security for IIoT.
Q. The above were detailed insights, however, could you offer simple tips for engineers for secure coding whilst mitigation of risks, and how to integrate these practices at the design level itself?
A.I would recommend that security best practices and principles are best incorporated starting straight from the requirements level itself. Today, when we look at sectors such as aerospace, drilling down to the exact processes followed during the developmental life cycle becomes easy during an incident/accident. This is vital in case of determining the root causes of incidents.
As the process is simple and not taxing, it can be followed for the security applications as well. In these scenarios, classifications of safety and criticality levels within systems are vital; post this, processes should be defined for each level. Even though there are generic frameworks for industrial systems, engineers should be wise enough to judge and predict the exact workable frameworks for their products. The key here is to follow a drill-down approach addressing security in each stage.
Q. When we delve into the latest industrial buzzword which is Industry 4.0, there would naturally be requirements for ‘smarter’ security, how do you think that smart technology can be leveraged towards developing smart security for smart industrial systems?
A. I would say that Industry 4.0 is 50% the buzzword considering past trends. Today’s researchers and IoT solution providers are gearing up with maturity levels to deal with the situation. This may help over a time period to come up with reference models for Industry 4.0 security. We should wait for Industry 4.0 standard products to hit the market so that the ground realities are evaluated properly.
At this point in time, the buzzword is patenting of prototypes and technology before the actual launch of products. Therefore, products should first be launched to identify the degree of security risks associated with that particular offering. I feel that security research with respect to Industry 4.0 will take the time to mature. What matters is the device-level security research, for this, we need to wait a tad longer.