CIOs visualize an imminent IoT security storm
- 03 June, 2014 10:27
Gareth Bridges - Business Manager, Security and Information Management,
Andy Bien - IT Director, Airport Authority Hong Kong
Praveen Kancharla - VP & Chief Engineer, GWB Infrastructure Solutions & Delivery,
Bank of America Merrill Lynch
Michael Leung-Chief Information & Operations Officer, China, CITIC Bank
Lawrence Lo - GM, Corporate Risk Management & Compliance, HKCSL
Christoph Ganswind t- Executive Director, Information Technology, Hong Kong
Dale Johnstone - Senior System Manager (IT Security & Risk Management),
Dennis Lee - Head of IT Risk & Control, Asia, Nomura International (Hong
Ted Suen - Head of IT, MTRC
Mui Chee-Leong - VP & CTO, Asia Division, Manulife International Ltd
Jacqueline Teo - Head of IT Services, Telstra Global
Franky Tse - Assistant GM, Head of IT, Public Bank (HK)
If media reports and technology vendors are to be believed, then the world of artificial intelligence, smart cities, and a life of automated-everything is just around the corner. The surge of hype around the Internet of Things (IoT) has stolen the thunder of big data and cloud, the last two technology trends dominating headlines.
According to Gartner, there are 0.9 billion connected devices today, all communicating at some level of machine-to-machine connectivity. By 2020, Gartner predicts this will swell to 26 billion devices, including sensors in cars, homes, and the streets we walk and drive on.
The benefits are immense, but the flip side--according to Gareth Bridges, business manager, Security and Information Management, Symantec--are the unknown security threats brought by this massive sprawl of connected devices and sensors.
Bridges suggested that devices as diverse as TVs, vehicles, ATMs, health systems, and industrial control systems, could be open to attack in the near future as they become connected to the Internet and to each other.
Growing attack surface
These connected devices may pose a risk even without Net connectivity as the threats are not exclusive to Web-enabled devices. Recently, ex-politician Dick Cheney had the wireless capability on his pacemaker disabled as there were concerns that it could be hacked in an assassination attempt.
"We're seeing lots of things like this: attack vectors that didn't exist before, and now require serious thought," said Bridges. "As these things become more connected, you end up with a much greater attack surface."
One area where connected devices are on the rise is in healthcare. IoT promises a transformation of the healthcare delivery landscape as remote health-monitoring and automation of processes is accelerated by more connected devices.
Dale Johnstone, senior system manager (IT Security & Risk Management), Hospital Authority, said that Cheney's pacemaker incident drew attention, and supplemented a further challenge that health providers face, which is to maintain the integrity of devices and equipment within internal networks.
Johnstone stressed that all medical equipment within the Hospital Authority is strictly managed and protected from external networks--everything is managed within the internal environment. Given the high risk nature of medical equipment, everything is tightly governed, and installing additional security on medical devices is very carefully considered as many devices are highly regulated and need to be balanced from a compliance perspective.
"From a security perspective and as a hospital authority, we're aware of the issues that IoT may bring," said Johnstone. "Currently, all devices we use are controlled within our own networks so exposure to the Web is limited."
Another industry that IoT is already affecting is transportation. At the Hong Kong Airport Authority, IoT is viewed as an opportunity to enable smart airport initiatives. Andy Bien, CIO at the Airport Authority, said that connected devices, objects and sensors will be used to inform management of real-time situations and performance in the airport.
"Besides the passengers and people we serve, we also want to track the movement and status of objects and equipment within the airport," said Bien.
The Airport Authority is already a world leader in the adoption of RFID for luggage-tracking and Bien predicts that by the time the planned Hong Kong Airport expansion is complete, technology advances will be key to enabling a more dynamic operation than the one he oversees today.
But on the security challenges of IoT, he believes the key issues are identity management and governance. "Technologies, devices, protocols and access methods change constantly, but to stay on top of security we must remain consistent in the management and governance of these changes," said Bien. "Establishing the proper standards and controls from the beginning is critical in enabling this new world of connected devices."
Identity and control
RFID-tagged baggage is currently used only at Hong Kong Airport, but Bien suggests that, in the near future, we might see permanent RFID tagging of bags--which could be further connected to a number of applications, such as frequent-flyer programs. The challenge in this scenario according to Bien: what standards are required to authenticate identity and control access?
Christoph Ganswindt, executive director of IT, Hong Kong Jockey Club, agreed that the standards issue hinders wider adoption of new technologies like RFID. He also raised the issue of data protection concerns when these higher levels of connectivity are finally enabled.
"Right now it's great for the Hong Kong Airport Authority to implement an RFID system to track baggage," he said, "but that's of no use when that bag arrives at another airport. There needs to be global standards for these use-cases to realize their potential value."
Ganswindt added that the industry has evolved greatly in making sensor technology like RFID more prevalent and standardized, but much more needs to be done to make IoT a reality.
The HKJC director gave the example of BMW, which has installed sensors and embedded SIM cards in their cars since 2002. In Germany, every BMW vehicle's embedded SIM allows the manufacturer to monitor the vehicle for speed, distance, location and other data, but this feature isn't activated in Hong Kong.
"The question: when this is activated [in Hong Kong], what will BMW do with the data?" said Ganswindt. "I bet insurance companies and the police will be interested in this information, but what about data privacy and data integrity?"
"This is a huge issue for the ongoing development of these technologies," he said. "As someone on the board of a company, I would be cautious--I'd ask questions like: 'Do I really need this device connecting to the Web, and is the risk greater than the benefit?'"
IoT multiplier effect
According to Mui Chee Leong at Manulife, the insurance industry views IoT as something that can deliver a better customer experience through more real-time interaction and processing of insurance services.
"Point of sales and payments are increasingly important for us within the insurance sector," he said, "and technologies that can further help us deliver straight-through processing are of great benefit to our distribution and our customers."
But once again, standards are a key stumbling block. "We don't want to be in a situation like Bitcoin, where there's no regulatory framework surrounding it and things just fall apart," said Mui.
He highlighted the current state of mobile diversity and the challenge in securing an environment with so many platforms and non-standard elements. "If we extrapolate this diversity and standards challenge to IoT, the problem is going be even more pronounced," said Mui.
Symantec's Bridges acknowledged these issues will not be solved anytime soon, and so far IoT and the security solutions based on these technologies is driven by specific vendors rather any standards bodies.
Symantec is actively working with industry bodies across various verticals to deploy additional security around connected devices. For example, aircraft manufacturers are evaluating additional tracking technology, PKI encryption and digital certificates across a range of devices and components to maintain integrity.
In banking and finance, hardening of ATM security is something Symantec is currently implementing with manufacturers.
"But perimeter hardening is only the first phase to improve security," said Bridges. "There are so many other ways to infiltrate that the traditional firewalls and network protection will not suffice--nowadays you're unlikely to be hacked through your firewall, it's more likely that a device within your network is compromised."
Jacqueline Teo, head of IT Services, Telstra Global, said that while there will be billions of connected devices and sensors in years to come, not every one will be a computing device. When assessing possible vulnerabilities, the prospect of billions of insecure endpoints is alarming, but Teo notes that sensors in pavements, parking meters, and roadsides clearly do not represent the same level of risk as a smartphone.
She added that understanding the appropriate level of risk is key to managing future threats. "To what extent do we secure all these risks? What security is appropriate at each of these endpoints?" said Teo.
Johnstone agreed that it all depends on the purpose of the end-device, and if it's simply an input device for relaying information, then the risk is probably low--depending on the sensitivity of the data.
"Clearly there's not one simple profile for devices," he said. "You need to look at the circumstances under which the device fits into the picture. With sensors, the most important thing may be the integrity of the data in the backend, or maybe the identity of that device."
"The point is not to crack a walnut with a sledgehammer. Don't apply security controls you don't need to," he said.
Johnstone was also keen to stress that industry bodies and standards organizations are well aware of IoT risks, and committees are actively addressing these security issues.
"It's easy to pick up on reports that nothing is being done to address IoT standards and security, but people are looking into this seriously," he said. "Just don't expect anything anytime soon as discussions are not mature at this stage, and getting international consensus on standards is challenging at best."