The Singapore Cybersecurity Consortium’s take on IoT protection
SINGAPORE is charging ahead with its digital transformation agenda, be it in the public services space or in the commercial market.
Organizations of all sizes are working on ensuring that they’re making the most of the technology that is available to them in the market.
One of these technologies, the internet of things (IoT), is quite a hit in Singapore and the rest of the region. It enables businesses to collect data from users in real-time, something that wasn’t possible ever before.
This obviously opens up new doors for the industry in terms of business opportunities but it also creates new risks.
“IoT in the business space comes with security risks that each organization needs to assess for themselves as these would depend on the nature of the business, scale, and criticality of the IoT functionalities, the IoT deployment model, and so on,” said Singapore Cybersecurity Consortium Executive Director Vivy Suhendra at the recent IoTAsia Summit in Singapore.
“Each additional thing connected to the business network contributes some increase in attack surface and becomes an additional endpoint to manage. We should aim to mitigate the risks as much as possible in all aspects of People – Process – Technology, and to always have an incident response plan for the unmitigated part of the risks.”
The Consortium is actively exploring IoT security
The Singapore Cybersecurity Consortium encourages innovations in IoT security-by-design as well as mitigation of IoT risks in less controlled environments.
In particular, one research project funded by the Consortium studies the mitigation of IoT security risks hand-in-hand with physical safety concerns, which would help create environments of safe-secure-by-design IoT systems.
Another funded project develops a NetFlow analysis method to identify vulnerable IoT devices connected to a network while respecting device owners’ privacy, which would help network owners manage the security of IoT systems and potentially take action when components are compromised.
Obviously, the Consortium spends a lot of time on such projects for the benefit of all users.
Currently, Singapore applies cybersecurity regulations to critical sectors, and rightly so, as security is not negotiable in those environments.
Hence for that use case, IoT innovations would be useful only when they work securely, or when the innovations themselves address security requirements of IoT.
Similarly, Suhendra expects project developments along secure IoT or IoT security technologies to flourish, as demand for them will be shored up by the need to comply with cybersecurity regulations.
More importantly, however, the industry and society need to go beyond the regulation compliance mindset and to truly understand the importance of cybersecurity when they use IoT.
When this is deeply embedded as a culture, innovations that arise would naturally keep security in mind.
“Where accountability is concerned, I believe all parties involved have an individual as well as collective responsibilities.”
Businesses need to take action if they want to gain from IoT
According to Suhendra, providers of IoT products/services should equip their offerings with up-to-standard security and privacy measures applicable.
They must also respect user consent where it comes to personal information, and could take the extra step of educating users/clients on consumer responsibilities such as changing the default password and privacy configurations, she insists.
“We have heard concerns from industry partners that security inevitably increases costs for products and services, which most consumers are not willing to pay for.”
But there are also positive developments where the industry and academics have been had conversations to develop IoT security certification standards.
The Consortium believes that this will lend clarity to the different options in the market for the mutual benefit of providers and consumers, and could be supported by governments as well.
“I believe such industry- or community-driven certifications could have greater flexibility to suit IoT market trends than for strict regulations to be imposed by governments.”
In the interim, Suhendra has some specific advice for businesses using IoT:
“We would suggest that businesses who use IoT for core operations use only devices and services from manufacturers and providers who are committed to security and privacy, and able to deliver security patches when vulnerabilities are later discovered.
“They should perform proper device and network configurations, including changing default passwords.
“Finally, network separation may be a good idea in cases where insecure or unknown devices may connect to the network that is unmonitored, so that they will not have access to critical components if they become compromised.”
At the end of the day, the Singapore Cybersecurity Consortium is making every effort to accelerate how organizations (and government agencies) protect themselves while using IoT.
The discussions and dialogues it creates really help create a uniform understanding of what’s at stake and why mitigating risks should be a priority.
Nothing can stop the rapid proliferation of IoT devices and sensors — especially with 5G set to democratize the technology and take it to an entirely new level.
Hopefully, help from agencies like the Singapore Cybersecurity Consortium will allow for proactive measures to be taken to protect stakeholders before any damage is done.