Small and medium-scale enterprises cannot choose to ignore top-class security for their Industrial Internet of Things (IIoT). To help them guard against cyber threats, engineers need to develop suitable solutions by understanding the nature of attacks that IoT networks are vulnerable to. Faud Khan, chief security analyst at TwelveDot Inc., Canada, speaks to Rahul R. from EFY Group about the issues and developments in this space
Q. What aspects should engineers consider when developing secure solutions for SME IoT networks?
A. The key aspect is both design and threat modelling. When developing the product concept at the design stage, engineers should look at incorporating security controls that minimise their products’ vulnerabilities to threats. The key element is technical analysis of ways and means through which the product could be abused by cyber-criminals. Since the IoT comprises multiple layers, via the middleware layer, cloud and device layer, engineers should understand individual components of an IoT system and evaluate vulnerabilities accordingly.
Q. What are the likely attacks for SME IoT networks?
A. We term the process of compromise as ‘weaponsing.’ A lot of IoT devices have inherent vulnerabilities to attacks. This makes it easier for cyber-criminals to compromise these systems and launch attacks such as Distributed Denial of Service (DDoS). DDoS along with Denial of Service (DoS) is the most common type of attack on SMEs. The key to protecting data is to understand the basic security infrastructure and analyse how it processes the data collected. Once this is achieved, layers of different access controls should be deployed.
Consider a scenario where the system is made to guard itself against scripting attacks. To accomplish this, engineers should test and validate the application and all server components. The code of the front end should be made secure. This holds true for databases as well. If a database takes SQL commands, engineers should ensure that external SQL commands cannot be injected into the system. Finally, database encryption should also be done at communication and storage layers.
Q. Is there any international body that regulates IoT security?
A. Right now there is no regulatory council that guarantees security. Specific domains have their own security and safety protocols. This is true of the current aviation and nuclear sectors, which follow a group of closely-knit standards for their day-to-day activities. However, as far as consumer sector is concerned, there are no safety standards overseen by international regulatory forums. Nonetheless, the industrial sector is subjected to defined safety standards. Safety standards for industrial networks (IIoT) have to meet specifications laid out by governments.
Q. How do you view India’s level of preparedness?
A. IoT-centric research in India is definitely moving along the right path. Research scientists and product companies have understood the underlying cyber-security factors. This would definitely help the country at this juncture when it is starting to develop smart cities.
Q. Talking of research, how should engineers build industrial systems such that security is incorporated from the chip level itself?
A. Understanding the supply chain of the chip and other components is key to understating the risk for systems. Aspects such as potential compromises to the chip at the factory level need to be properly analysed and identified. Once chips are released, monitoring and run-time systems should be able to detect compromises before a system is developed on top of a chip.
Q. Finally, for sectors like healthcare that have societal impact, how should industrial systems be designed for maximum security?
A. For healthcare, the approach is a tad different considering the fact that devices here have personally identifiable information (PII). Understanding your data at risk is key. Specifically, you must understand data collection, processing and storage for critical data. Access permissions within IoT networks should also be carefully developed and distributed to official sources. Besides, engineers should understand the usable life of data. If data is unnecessary or provides little value, it must be securely deleted.
