Realizing the True Potential of IoT: A Security Perspective

The Internet of things (IoT) is heralded as the vanguard of the next technological revolution (Krishna). A McKinsey report estimates the total potential economic impact of IoT to be around $3.9 trillion to $11.1 trillion annually by 2025. For this potential to manifest into an economic reality, it becomes imperative to revisit the Solow Paradox and its critiques to discern the impediments to this potential realization. The Paradox underscores the slow growth in productivity ‘across’ the economy despite considerable progress in Information and Communication (ICT) technology (David 356). Critics are quick to quash such qualms stating that increase in economic productivity will be conspicuous once these technologies are “truly embedded” into work practices, social lifestyles and business models (Yueh 270). In its incipient stages, the development of IoT has been fragmented and each company tried (and still tries) to publicize its own Internet of Things (Basulto). Such proprietary vendor practices have impeded IoT from becoming “truly embedded” into the fabric of human society. As a corollary, McKinsey’s estimates might never materialize in the economy and productivity growth in the economy will be inconsistent and labored. Standardization efforts in IoT strive to stop the aforementioned likelihood from actualizing. The current standardization narrative for Internet of Things (IoT) is driven by three key factors: Security, Interoperability and Governance (Saleem et al. 3).

Most standardization efforts resolve these issues to a certain extent (Saleem et al. 2) and several nations have or are in the process of adopting pertinent legislations for the same. India has come up with its own set of legislations which aim to address these issues. However, some of them have failed to fill the lacuna of basic hardware security regulation. This article posits a hierarchical structure of focus for the current standardization (or legislative) narrative in India with security forming the fundamental buttress of the structure. The scope of this article is restricted to the security aspect of IoT and why it is fundamental for IoT to become truly embedded.

WHY SECURITY?

With the pervasive adoption of IoT devices, two new risk vectors have transpired: a) Since user data is cardinal and intrinsic to the functioning of IoT, consumer security and privacy is endangered if proper safeguards aren’t in place; b) State sponsored attacks or large scale cyberattacks can be administered compromising the national security of a country while paralyzing its economic and societal structures (Secure by Design 4). Significant damage is incurred by all the stakeholders (i.e. the people, industries and government) here. Precedents set by the Mirai Botnet and Stuxnet Attacks on Iranian SCADA systems highlight the insidious nature of such attacks as well as the dangerous potentialities that can be realized in the hands of malicious actors. For similar reasons, critical societal services initially operated in silos and viewed IoT advancements from a skeptical lens (Asplund and Tehrani 2130).

A HP study revealed that 70 percent of commonly used IoT devices are vulnerable to attacks (Vulnerabilities ranging from password security, encryption to general lack of granular user access permissions). Findings from another technical risk assessment on 43 healthcare mobile applications showed that only 15 percent of the apps holistically encrypted the transmitted data (Meddeb 42). When such statistics are juxtaposed with IoT device proliferation amongst consumers, the massive scale of the security issue is realised. A notion arises that security and privacy are perceived as afterthoughts of IoT deployment rather than an intrinsic feature of deployment (Pal et al. 58). In the wake of such findings and recent data privacy scandals, Trust, Security and Privacy(TSP) have become central pillars for IoT augmentation (Meddeb 41). This is corroborated by a Blackberry survey which finds consumers to have a predilection for companies that have a strong reputation for data security and privacy. Trust is engendered when IoT standards and regulations (According to ENISA’s IOT Security Standards Gap Analysis, Standards have two functions: a) Achieving interoperability b)Generating confidence) holistically ensure security and privacy of the consumers. If standards fail to do so, IoT proliferation will be in peril and the technology won’t ‘truly embed’ itself in societal structures in the long run. Potential economic estimates perchance might turn out to be spurious.

NOTABLE LEGISLATIONS: WORLD

A slew of legislations and draft policies being adopted by various countries shows an increased cognizance of security. 2018 was climacteric in this regard, most notably for the enforcement of the General Data Protection Act (GDPR), which imposed onerous restrictions on data processors and data controllers (de Groot). While the GDPR was a data centric privacy initiative, UK’s Secure by Design report adopted a parochial focus on improving IoT device security. Designed in the context of consumer IoT, it put forth a code of practice for IoT device manufacturers to voluntarily adhere to. The first 3 guidelines a) No default passwords (e.g. Admin simultaneously being the username and password) b) Mandatory Vulnerability Disclosure and c) End of life policy (Software updates) are said to be of prime importance for improving IoT cybersecurity in the short term as they address basic hardware vulnerabilities that malicious actors often exploit (Secure by Design 21). Some point that the report fails to provide specific technical guidelines in the code of practice while others highlight its incomprehensive nature (Saleem et al. 2). Nonetheless, the report seems to be a step in the right direction and serves as a focal point in the ongoing legislative discussion to mandate the first three guidelines.

California’s SB 327 which comes into effect from 1st January, 2020 (Noor), has already implemented the first guideline of the Secure by Design report for the state of California. Moreover, stipulations require manufacturers to provide reasonable security features for any device establishing a direct or indirect connection with the internet (Robertson). In this regard, the Cybersecurity Improvement Act of 2019 is another bill that might have significant effects if it is eventually passed. The act espouses the establishment of basic security standards for IoT/ICT devices that US federal authorities purchase (Ng). The act’s qualified focus to federal purchases might seem puzzling, but subscribers of the bill view it as a soft nudge to device suppliers to equip other devices with the same standards to avoid supply chain diversification (Wayne). Another recently passed legislation is the EU Cybersecurity Act which tries addressing the security issue by adopting an EU cybersecurity certification framework (Young) for ICT products. A certification framework is the right step to foster trust amongst the industry and consumers given the principal role of trust in advancement of IoT proliferation.

THE INDIAN SCENARIO

Given the nascent backdrop of IoT in India, the Indian Government and its policymakers have been precocious in addressing IoT security and privacy issues. From the Supreme Court’s construal of right to privacy (Panday) as a fundamental right to devising a draft Personal Data Protection Bill (which takes precedents from GDPR), data centric privacy has assumed central focus. Moreover, policies like the National Digital Communication Policy, National Telecom M2M roadmap and Internet of Things (IoT) policy by MeitY (Ministry of Electronics and Information Technology) underscore the importance of device security in some capacity. However, stringent laws enforcing the same are yet to be passed.

Amendment 2017 to the Indian Telegraph Act comes as one tangible approach towards achieving the same end. The amendment introduces Mandatory Testing and Certification of Telecom Equipment (MTCTE) and telegraph is construed as “any instrument, appliance or material that is capable of transmission or reception of signals, images and sounds or intelligence of any nature by wire, visual or radio waves” (Livemint). IoT devices thus fall under the act’s purview. TEC (Telecommunications Engineering Centre), the agency responsible for drafting Essential Requirements (ERs) for the Mandatory certification, has published the final list of the essential requirements. However, the security requirements section for various ERs still remains vacant. They await further guidance from the DoT (Department of Telecommunications).

Given the fundamental role of the certification in augmenting trust and confidence amongst end users, the security requirements need to be devised concurrent to the pace of technology. Mandatory regulations, especially in the field of IoT security need to be implemented expediently due to the lag effects (e.g. Compliance and adoption of regulations by various actors) on the economy. Even after implementation, certain unresolved issues transpire which can induce a further lag compromising the policy’s efficacy and intentions. This is detrimental given how standardization and regulations have already failed to keep up with the adoption of IoT across various sectors (Saleem et al. 4). For example, the decision to mandate UK’s Secure by Design guidelines comes after a year of its initial release. Even after mandating, issues are bound to emerge intermittently due to evolutionary nature of technology and user behavior, and it would require further investment of time and resources. However, this contingency could have been mitigated by the UK legislatures by early passage of mandatory guidelines. Thus, the security requirements for ERs in India is an exigency that demands immediate attention. Indian policymakers can also take simple precedents from the Secure by Design report (which aims to shift the onus and responsibility of device security from the consumer to the device manufacturer via implementation of simple yet efficient measures), SB 327 and US draft Cybersecurity Improvement Act of 2019.

Given the infant stages of IoT in India, 2019 seems like an opportune time to deal with the situation proactively. While the draft Data Personal Data Protection Bill will likely be introduced in the parliament this year, the Bureau of Indian Standards (BIS) will be releasing their set of IoT standards and regulations. It is hoped that basic hardware vulnerabilities are accounted for and the principles of “Privacy and Security by design” are integrated and upheld. Trust will be engendered as a corollary and only then can the estimated economic potential of IoT truly be realized.

—————————————-

REFERENCES (MLA)

1. Krishna, Vishal. “India’s IoT Started out Slow, but It’s Time to Pick up Pace.” YourStory.com, Yourstory, 27 Aug. 2018, yourstory.com/2018/08/indias-iot-started-slow-time-pick-pace.

2, “Unlocking the Potential of the Internet of Things.” McKinsey & Company, www.mckinsey.com/business-functions/digital-mckinsey/our-insights/the-internet-of-things-the-value-of-digitizing-the-physical-world.

3. “Paul A. David, 1990, ‘The Dynamo and the Computer: A Historical Perspective on the Modern Productivity Paradox’, American Economic Review, 80(2), pp. 355–61.”

4. Yueh, Linda. The Great Economists. Penguin Books Ltd., 2019.

5. Basulto, Dominic. “3 Reasons Why the Internet of Things (Still) Doesn’t Make Sense.” The Washington Post, WP Company, 16 Jan. 2015, www.washingtonpost.com/news/innovations/wp/2015/01/16/3-reasons-why-the-internet-of-things-still-doesnt-make-sense/?noredirect=on.

6,7,20,33 Saleem, Jibran, et al. “IoT standardisation: Challenges, perspectives and solution.” Proceedings of the 2nd International Conference on Future Networks and Distributed Systems. ACM, 2018.

8. Department for Digital, Culture, Media and Sport, UK government (2018). Secure by Design. Department for Digital, Culture, Media and Sport, UK government.

9. Fruhlinger, Josh. “The Mirai Botnet Explained: How IoT Devices Almost Brought down the Internet.” CSO Online, CSO, 9 Mar. 2018, www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html.

10. Asplund, Mikael, and Simin Nadjm-Tehrani. “Attitudes and perceptions of IoT security in critical societal services.” IEEE Access 4 (2016): 2130-2138.

11. “HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack.” HP News – HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack, www8.hp.com/us/en/hp-news/press-release.html?id=1744676.

12, 14. Meddeb, Aref. “Internet of things standards: who stands out from the crowd?.” IEEE Communications Magazine 54.7 (2016): 40-47.

13. Pal, Arpan, et al. “IoT Standardization: The Road Ahead.” Internet of Things-Technology, Applications and Standardization (2018): 53.

15. BlackBerry Survey Finds Consumers Don’t Trust Connected Devices to Keep Data Safe and Secure, www.blackberry.com/us/en/company/newsroom/press-releases/2019/blackberry-survey-finds-consumers-don-t-trust-connected-devices-to-keep-data-safe-and-secure.

16. Andrukiewicz, E., Cadzow, S. and Górniak, S. (2019). IOT Security Standards Gap Analysis. [online] ENISA. Available at: https://www.enisa.europa.eu/publications/iot-security-standards-gap-analysis [Accessed 14 Jun. 2019].

17. “What Is the General Data Protection Regulation? Understanding & Complying with GDPR Requirements in 2019.” Digital Guardian, 15 May 2019, digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection.

18, 19. Digital. “Secure by Design Report.” GOV.UK, GOV.UK, 7 Mar. 2018, www.gov.uk/government/publications/secure-by-design-report.

21. Towers-Clark, Charles. “UK To Introduce New Law For IoT Device Security.” Forbes, Forbes Magazine, 2 May 2019, www.forbes.com/sites/charlestowersclark/2019/05/02/uk-to-introduce-new-law-for-iot-device-security/#1cb2147c579d.

22. Sync, CRM. “DCMS Launch Secure by Design Regulation Consultation.” TechUK, TechUK, www.techuk.org/insights/news/item/15299-dcms-launch-secure-by-design-regulation-consultation.

23. Noor, Arshad. “California SB-327 and the Wake-Up Call for Stronger Authentication.” CPO Magazine, 28 May 2019, www.cpomagazine.com/cyber-security/california-sb-327-and-the-wake-up-call-for-stronger-authentication/.

24. Robertson, Adi. “California Just Became the First State with an Internet of Things Cybersecurity Law.” The Verge, The Verge, 28 Sept. 2018, www.theverge.com/2018/9/28/17874768/california-iot-smart-device-cybersecurity-bill-sb-327-signed-law.

25. Ng, Alfred. “Congress Introduces Bill to Improve ‘Internet of Things’ Security.” CNET, CNET, 11 Mar. 2019, www.cnet.com/news/congress-introduces-bill-to-improve-internet-of-things-security/.

26. Rash, Wayne. “IoT Security Bills for US Government Will Also Affect Business IT.” EWEEK, 9 July 2019, www.eweek.com/security/iot-security-bills-for-us-government-will-also-affect-business-it.

27. Young, Mark. “European Parliament Approves EU Cybersecurity Act.” Inside Privacy, 15 Mar. 2019, www.insideprivacy.com/international/european-union/european-parliament-approves-eu-cybersecurity-act/.

29. Panday, Jyoti. “India’s Supreme Court Upholds Right to Privacy as a Fundamental Right-and It’s About Time.” Electronic Frontier Foundation, 11 Oct. 2017, www.eff.org/deeplinks/2017/08/indias-supreme-court-upholds-right-privacy-fundamental-right-and-its-about-time.

31. Livemint. “Testing Must for Telecom Equipments from October 2018: DoT.” Https://Www.livemint.com, Livemint, 10 Sept. 2017, www.livemint.com/Industry/aeLzA8FGUZFP5926rspKbP/Testing-must-for-telecom-equipments-from-October-2018-DoT.html.

32. “List of Essential Requirements.” TEC, www.tec.gov.in/list-of-essential-requirements/.

IET: The Institution of Engineering and Technology (2018). Standards, Legal and Privacy. IET: The Institution of Engineering and Technology.