<p>We are living in the world of the new cyber reality and the recent massive cyberattacks using connected devices just proves the point. <br /><br /></p>.<p>Malware targeting the Internet of Things (IoT) has matured and 2015 was a record year for IoT attacks, with eight new malware families emerging. Of late, with Mirai malware, the hackers have weaponised IoT devices in over 177 countries. <br /><br />Is the `dooms day’ approaching or is there a way out? Cyber security has become a grave issue impacting everyone-right from the governments planning to prevent new cyberwars to business tycoons protecting their firms from unimaginable threats, to lawyers and ethicists building new frameworks for right and wrong. Is there a way to prevent such cyberattacks from happening again? <br /><br />The answer is ‘yes’, these attacks can be prevented. But not unless every stakeholder in the business of IoT works together. The issue cannot be resolved without proper policies, cyber laws, checks and balances, standardisation and security at the very granular level. <br /><br />Regulations in IoT comes with its own complications. Every industry vertical has a different use case and expecting one set of regulations to apply universally will not be practical. <br /><br />Let us consider an example from tele-healthcare, the security compliance with encryption and authentication access required for a remotely controlled medication injector device for a patient to that of a sensor used for monitoring temperature of his room. For the first device, the security should be of the highest level at each interface from device to routers to application level. For the latter, security at device level would also do. <br /><br />Also, take a case of connected cars. Who will be blamed if the driverless car meets an accident on road by crossing red light- the IoT device manufacturer, or the network and connectivity provider, or the person sitting in the call centre monitoring car movement? Will all the parties have an equal liability? Hence, it is important that ‘one-size-fits-all’ is not taken as a policy for fo-rmulating laws and regulations.<br /><br />Privacy is another major concern when it comes to sharing information not just in the IoT, but in all the applications, devices or systems. The low-cost IoT devices come with minimal security. Also, devices have rela-tively long life spans and firm-ware is rarely updated, making them vulnerable to attacks. <br /><br />Manufacturers have to incorporate security measures right from the design phase. All passwords and login credentials are not supposed to be hard-coded into the firmware or as simple as “admin” and “123456”. Thanks to such simpleton passwords, the Mirai malware has gone global.<br /><br />Everyone’s responsibility<br /><br />Some of the essential measures and best practices that can help prevent massive losses would be to implement network-based security best practices for early detection of security breaches, compartmentalisation and isolation of affected devices. <br /><br />Speeding migration of networks to IPv6 from IPv4 and using VPNs for providing secure connections to the customer server systems would help. Customising and integrating the DDoS protection solution to meet the specific needs of the organisation is essential. <br /><br />Application security must be an intrinsic part of the software development lifecycle (SDLC) for all IoT applications, particularly during the design, development and testing stages. The IoT developers must protect everything and open only what is required for the application. <br /><br />For the old devices which lag built-in security, a viable solution is to protect them in using secure IoT gateway (either physical or in a virtual machine). Consumers must change the default login details set by the manufacture. Also, there is an urgent need for a third party to certify IoT devices safety. <br /><br />In India, the government is taking measures towards cybercrime prevention. Information Technology Minister Ravi Shankar Prasad has requested all IT organisations to appoint cybersecurity officer each. A list of 35 auditors has been prepared to give parallel view on preparedness of cyber security of IT companies. <br /><br />A National Cyber Coordination Centre is getting created to provide near real-time situational awareness and rapid response to cyberattacks. The government has earmarked Rs 985 crore for the project which is to be completed in five years.<br /><br />The new cyber reality is here to stay with hackers becoming stronger, waiting to exploit each small mistake we make. It is high time all IoT players come together to address the cybersecurity threats by ensuring data privacy, standardisation and taking stringent security measures at granular level.<br /><em><br />(The writer is chairman, IET-IoT India panel and president, Aeris Communications, India)</em></p>
<p>We are living in the world of the new cyber reality and the recent massive cyberattacks using connected devices just proves the point. <br /><br /></p>.<p>Malware targeting the Internet of Things (IoT) has matured and 2015 was a record year for IoT attacks, with eight new malware families emerging. Of late, with Mirai malware, the hackers have weaponised IoT devices in over 177 countries. <br /><br />Is the `dooms day’ approaching or is there a way out? Cyber security has become a grave issue impacting everyone-right from the governments planning to prevent new cyberwars to business tycoons protecting their firms from unimaginable threats, to lawyers and ethicists building new frameworks for right and wrong. Is there a way to prevent such cyberattacks from happening again? <br /><br />The answer is ‘yes’, these attacks can be prevented. But not unless every stakeholder in the business of IoT works together. The issue cannot be resolved without proper policies, cyber laws, checks and balances, standardisation and security at the very granular level. <br /><br />Regulations in IoT comes with its own complications. Every industry vertical has a different use case and expecting one set of regulations to apply universally will not be practical. <br /><br />Let us consider an example from tele-healthcare, the security compliance with encryption and authentication access required for a remotely controlled medication injector device for a patient to that of a sensor used for monitoring temperature of his room. For the first device, the security should be of the highest level at each interface from device to routers to application level. For the latter, security at device level would also do. <br /><br />Also, take a case of connected cars. Who will be blamed if the driverless car meets an accident on road by crossing red light- the IoT device manufacturer, or the network and connectivity provider, or the person sitting in the call centre monitoring car movement? Will all the parties have an equal liability? Hence, it is important that ‘one-size-fits-all’ is not taken as a policy for fo-rmulating laws and regulations.<br /><br />Privacy is another major concern when it comes to sharing information not just in the IoT, but in all the applications, devices or systems. The low-cost IoT devices come with minimal security. Also, devices have rela-tively long life spans and firm-ware is rarely updated, making them vulnerable to attacks. <br /><br />Manufacturers have to incorporate security measures right from the design phase. All passwords and login credentials are not supposed to be hard-coded into the firmware or as simple as “admin” and “123456”. Thanks to such simpleton passwords, the Mirai malware has gone global.<br /><br />Everyone’s responsibility<br /><br />Some of the essential measures and best practices that can help prevent massive losses would be to implement network-based security best practices for early detection of security breaches, compartmentalisation and isolation of affected devices. <br /><br />Speeding migration of networks to IPv6 from IPv4 and using VPNs for providing secure connections to the customer server systems would help. Customising and integrating the DDoS protection solution to meet the specific needs of the organisation is essential. <br /><br />Application security must be an intrinsic part of the software development lifecycle (SDLC) for all IoT applications, particularly during the design, development and testing stages. The IoT developers must protect everything and open only what is required for the application. <br /><br />For the old devices which lag built-in security, a viable solution is to protect them in using secure IoT gateway (either physical or in a virtual machine). Consumers must change the default login details set by the manufacture. Also, there is an urgent need for a third party to certify IoT devices safety. <br /><br />In India, the government is taking measures towards cybercrime prevention. Information Technology Minister Ravi Shankar Prasad has requested all IT organisations to appoint cybersecurity officer each. A list of 35 auditors has been prepared to give parallel view on preparedness of cyber security of IT companies. <br /><br />A National Cyber Coordination Centre is getting created to provide near real-time situational awareness and rapid response to cyberattacks. The government has earmarked Rs 985 crore for the project which is to be completed in five years.<br /><br />The new cyber reality is here to stay with hackers becoming stronger, waiting to exploit each small mistake we make. It is high time all IoT players come together to address the cybersecurity threats by ensuring data privacy, standardisation and taking stringent security measures at granular level.<br /><em><br />(The writer is chairman, IET-IoT India panel and president, Aeris Communications, India)</em></p>
