Maybe we need to talk about safety rather than security? asks our regular contributor Mike Gillespie.
I have been looking at the principles of cyber security for connected and automated vehicles, issued by the UK Government on August 6. I wondered if we need to be talking about health and safety, not security, when it comes to the Internet of Things (IoT). It struck me that many connected or web-enabled items would benefit from the guidance and principles. If you like, it would be great as an expanded IoT guide to security, but better than that, safety. What if we took the stance of safety rather than security when we consider risk and build risk assessments? Let’s face it, if you have possibility of death in your risk assessment, then it’s going to be taken seriously and the risk is going to be mitigated.
The law
As we move further down the road (forgive the pun) of connected vehicles, self-driving vehicles and smart motorways, surely the cyber-security of these things is a matter of health and safety and should be addressed from that macro level, rather than from the more granular cyber perspective. We have had health and safety legislation for a long time and business and individuals alike are accustomed to thinking about safety in a way that is still new to security in many ways. The legislation is effective and proven. If you look at the incidence of injury or fatality in the workplace, the legislation has clearly contributed to a very different, much safer working environment. Unfortunately, cyber incidents; be it breach, hack or serious incident, is increasing not decreasing and our physical systems, frequently web-enabled and hackable, do not have any kind of kitemark to help guide us in buying securely yet. This is why I felt the new vehicle guidance was a potentially good start.
Risk to life
So, our cyber enabled items, offer risk to our businesses and disruption to our lives and even our very identities, true. But are we ready to have the conversation about how cyberspace could also offer risk to life yet? Or do we need to continue to develop the number and range of web enabled items that can impact us physically and worry about security later ..?
What’s possible
Innovation of the IoT has been the driver of growth, not the response; in other words much of our web-enabled options exist not because we needed them but because they could be made. The focus has been on what is possible, not what is necessary or even desirable. Unless someone else has another explanation for a web-enabled kettle, of course. This drive for innovation and creativity is great but there are downsides. These are just a few:
– Who is paying for it? If product is free, then you are the product, in other words those apps you get free are harvesting your data, you should be checking your permissions very carefully before you agree and download.
– Who paid for its development? These things take time and money, they don’t develop themselves, so what security measures are in place in your lovely web-enabled item and is it built on firmware that can be updated and so remain secure for its lifecycle?
– Do you know what it is connecting to? Is this item connecting to business networks and systems? Are you completely sure of how it interacts with all of your systems?
Built in
If any of the systems we use have a potential impact in the physical world, we really need to be thinking safety at top level with security being a built in part of that safety. And if there is anywhere that these aspects need to be a top priority, it must surely be in an automated vehicle such as a genuinely autonomous car. I do not believe any of us wants to be in a situation where the driverless car, carrying us along the motorway at 70 miles an hour, suddenly becomes the remote controlled plaything of a nefarious individual. And I am confident in saying that, should that happen, then we are all going to be far more concerned with the safety of our loved ones in the passenger seats than the security protocol that just got breached.
About the writer
The MD of the information security consultancy Advent IM is a director of the Security Institute. He’s a speaker at our next Security TWENTY (ST17) conference at Glasgow on Tuesday, September 5. Visit www.advent-im.co.uk.
