Increasing the connectivity between physical and digital systems brings with it increased risks. So says Nick Jennings, Imperial College London Professor of Artificial Intelligence and Vice-Provost and the UK Government’s former Chief Scientific Advisor for National Security, in a foreword to a Royal Academy of Engineering report on cyber safety and resilience. He called for work to investigate measures needed to strengthen the safety and resilience of all connected systems, ‘particularly critical infrastructure that society now depends so much on’.
For the 52-page report, visit https://www.raeng.org.uk/publications/reports/cyber-safety-and-resilience.
Meanwhile, a separate report, ‘Internet of Things: realising the potential of a trusted smart world’ has been compiled by PETRAS Cybersecurity of the Internet of Things Research Hub and the Royal Academy of Engineering, chaired by Paul Taylor FREng, UK Lead Partner – Cyber Security at KPMG. Paul Taylor says: “There is no going back on the Internet of Things, it is here to stay and offers many new capabilities. We should embrace it with a strategy that goes beyond IoT towards the ‘Internet of Everything’, with a greater focus on people, data and processes. Government needs to consider whether existing regulation is fit-for-purpose and how IoT interacts with new EU regulation such as the NIS Directive (security of Network and Information systems) or GDPR where IoT processes or controls personal data.”
Both reports identify the importance of digital skills. They call on government to ensure that current reforms to post-16 education, such as T levels and new apprenticeships standards, include appropriate levels of skills development for end-users who will implement IoT in the workplace. Investment in design and technology education, as a subject that provides excellent opportunities for young people to understand the interfaces between physical and digital systems as well as practical opportunities to apply this, is also recommended, following the example of recent investment in computer science in schools.
Prof Rachel Cooper OBE, Adoption and Acceptability theme lead at the PETRAS IoT Research Hub, and Distinguished Professor of Design Management and Policy at Lancaster University, says: “It is vital that we improve the level of technical and data literacy and skills to enable the public to become involved in reinforcing security in data and the Internet of Things. Ethical development of these emerging technologies is a collective responsibility for the whole of society, not just for those who are developing them.”
Living in the Internet of Things is the title of a PETRAS, IoTUK and IET conference, forum and exhibition on March 28 and 29 in London, at the IET (Institution of Engineering and Technology) in Savoy Place. Much of the conference is given over to risk, security and privacy; speakers include Heather Butler, Assistant Director, EU and International Cyber Security Policy, Department for Digital, Culture, Media and Sport (DCMS); the opening speaker is Margot James, Minister of State for Digital and the Creative Industries, at DCMS.
Comments
Paul Farrington, Manager, EMEA Solution Architects at security testing and software company CA Veracode, said: “Security professionals have long hypothesised about the massive threat that many new connected medical devices pose. Back in 2015, this culminated when the FDA urged US healthcare facilities to stop using the Hospira’s Symbiq Infusion System in favour of an alternative infusion, after a vulnerability in the drugs pump remained unpatched for a year. Since then, we have seen numerous connected medical devices exposed for having severe vulnerabilities that could put both patient data and safety at risk.
“Earlier this month, DCMS announced that it would be working with the National Cyber Security Centre and industry to implement a rigorous new Code Of Practice to improve the cybersecurity of consumer internet-connected devices and associated services. And clearly it is crucial that such standards should also be applied to connected medical devices. However, security certificates cannot just apply to the device itself, but must also extend to the web applications and software managing the devices.
“With 77 per cent of all applications have at least one vulnerability when first scanned, it is perhaps unsurprising that 60% of all breaches involve web applications. To ensure that medical devices are safe for use, security standards should be introduced mandating that both the device and the software processing that data is not only built secure by design, but is regularly tested through its entire lifecycle.”
Amir Abramovitch, security researcher at ‘cyber of things’ company Cy-OT, said: “We know that a lot of Internet of Things (IoT) devices are insecure, and healthcare devices are no exception. In the last couple of years we have seen multiple vulnerabilities published for a variety of medical IoT devices. The main problem is that the worst-case scenario here is not data theft or malware infection, but death, and the scariest part is that some of these attacks can even happen remotely, where the attacker does not need to gain physical access to the device.
“The vulnerabilities span from simple vulnerabilities such as insecure storage of the Wi-Fi password and hard-coded secret credentials for remote maintenance, to more severe vulnerabilities such as communication interception (eg. changing the dosage of a drug) and full-on denial-of-service (eg. making the device stop functioning at all). This poses a threat, not only to corporate businesses, but to human life. The good news is that there are possible mitigations for these attacks, and they are quite easy to implement. The problem is that the companies making these devices do not understand the security implications of their poor design, and I hope they will learn it before it is too late.”
Dan Lyon, principal consultant at Synopsys pointed to the key role that systems thinking must play in the healthcare sector, because of shared responsibility among regulators, manufacturers, healthcare providers, and patients. “While software security has been discussed for many years, fewer people are talking about systems security and integrating security into system engineering. The healthcare industry has to solve this problem at the system-of-systems level, as well as for individual products like MRI machines and patient monitors. Many of the recommendations are already understood and documented. One specific example is recommendation that stronger mechanisms are needed, but there is no silver bullet. That concept is fully embodied in the BSIMM framework. BSIMM identifies a superset of 113 security activities that have been used to build security into systems. Leveraging this superset to identify new activities is one step organizations can take. The key message from this is that evaluating security at every layer in a product or system lifecycle – systems, software, firmware, hardware – is the only way to fundamentally build security into a product.
“Well known technical activities such as static code analysis are important, but so are non-technical elements like risk management processes and program level prioritization of resources based on identified risk.”
And David Emm, principal security researcher at cyber security product firm Kaspersky Lab, said: “As the connected devices market grows and becomes part of the fabric of our lives, it’s not surprising that this has come to include the healthcare industry – and sadly medical devices have become a target for cyber-attackers. With pacemakers, if a vulnerability is found then it may not be possible to roll out a patch, as you could for a smartphone or PC. So it may be very difficult to secure these devices once implanted, as the whole thing may need replacing – a costly and logistically difficult process. When it comes to risks that could endanger lives, it’s essential that security is implemented at the design stage of a product or device – long before it’s rolled out for public use. Connectivity offers great convenience, but if it’s indiscriminate it also gives hackers the chance to undermine the process.”
