Government, industry, system operators and the engineering profession must act together in a coordinated way to improve cyber safety and ensure that the Internet of Things develops in a secure and trusted way, according to two new reports published today by the Royal Academy of Engineering and the PETRAS Internet of Things research hub.
The reports together cover the Internet of Things and other digitally connected systems such as industrial control systems and building management systems. They highlight that digital technologies have a huge variety of applications from industry-level uses like electricity generation plant, to consumer applications such as fitness devices and smart home hubs, and that the integration of physical and digital systems creates many opportunities to realise economic, social and environmental benefits across business and society.
The reports also warn, however, that digitally connected systems need to be designed with safety and resilience in mind to minimise future risk. They could be vulnerable both to cyberattacks and non-malicious events such as natural hazards or the failure of components and the impact can be increased where systems are interdependent. Cyberattacks on connected health devices are of increasing concern as they could have severe consequences on patient safety. Ever greater numbers of health devices have been identified as being potentially at risk, including pacemakers and MRI scanners. The working group held a workshop with health agencies, manufacturers and government security advisors to discuss how best to address these issues.
As the number of IoT devices increases in homes, workplaces and public spaces, the studies consider the potential for more aspects of people’s lives to be observed. IoT devices can violate norms of private space - for IoT systems that control or process personal data, there may also be privacy threats from data sharing.
The reports recommend that the evolving nature of the challenges will require continual responsiveness and agility by government, regulators, organisations and their supply chains. While they conclude that there is no silver bullet for improving cybersecurity and resilience, they call on organisations to demand that products are ‘secure by default’, and recommend a number of measures, including:
* Mandatory risk management procedures should be considered for critical infrastructure, aligned to industry standards. These should set out guiding principles for cyber risk management during design, operation and maintenance.
* Supply chain transparency - cybersecurity policies should require that there is transparency throughout the supply chain about the level of cybersecurity provided in products and services.
* International ‘umbrella agreements’ on IoT - the UK government should work with other governments and international institutions – with the main providers of IoT components, devices and systems – towards ‘umbrella agreements’ that set out an international baseline for IoT data integrity and security for all parties to adopt.
* Ethical frameworks that are appropriate to support ethical behaviours on IoT should be developed and applied to help minimise risks to society.
The reports also highlight that the UK is in a strong position to lead the development of appropriate international standards and regulation, as a result of its world-class expertise in cybersecurity, safety-critical systems, software engineering, hardware security, artificial intelligence and social sciences.
Professor Nick Jennings CB FREng, Vice Provost at Imperial College London and lead author of 'Cyber safety and resilience: strengthening the digital systems that support the modern economy', says: “Connected systems underpin improved services, drive innovation, create wealth and help to tackle some of the most pressing social and environmental challenges.
“The reports we are publishing today identify some of the measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure on which much of our society now depends. We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly.”
Paul Taylor FREng, UK Lead Partner - Cyber Security at KPMG and lead author of 'Internet of Things: realising the potential of a trusted smart world', says: “There is no going back on the Internet of Things, it is here to stay and offers many new capabilities. We should embrace it with a strategy that goes beyond IoT towards the ‘Internet of Everything’, with a greater focus on people, data and processes.
“Government needs to consider whether existing regulation is fit-for-purpose and how IoT interacts with new EU regulation such as the NIS Directive (security of Network and Information systems) or GDPR where IoT processes or controls personal data.”
Both reports identify the importance of digital skills. They call on government to ensure that current reforms to post-16 education, such as T levels and new apprenticeships standards, include appropriate levels of skills development for end-users who will implement IoT in the workplace. Investment in design and technology education, as a subject that provides excellent opportunities for young people to understand the interfaces between physical and digital systems as well as practical opportunities to apply this, is also recommended, following the example of recent investment in computer science in schools.
'Cyber safety and resilience: strengthening the digital systems that support the modern economy' includes a full section on digitalised systems in healthcare, highlighting the opportunities and the challenges. The issue is particularly critical for healthcare, as cyber attacks could be life-threatening.
Commenting on the findings of this report, Dan Lyon, Principal Consultant at Synopsys says: "One of the prevalent themes in this document is the key role that systems thinking must play in the healthcare sector, because there is shared responsibility among regulators, manufacturers, healthcare providers, and patients. While software security has been discussed for many years, fewer people are talking about systems security and integrating security into system engineering. The healthcare industry has to solve this problem at the system-of-systems level, as well as for individual products like MRI machines and patient monitors.
"Many of the recommendations are already understood and documented. One specific example is the recommendation that stronger mechanisms are needed, but there is no silver bullet. That concept is fully embodied in the BSIMM framework. BSIMM identifies a superset of 113 security activities that have been used to build security into systems. Leveraging this superset to identify new activities is one step organizations can take. The key message from this is that evaluating security at every layer in a product or system lifecycle – systems, software, firmware, hardware – is the only way to fundamentally build security into a product.
"Well known technical activities such as static code analysis are important, but so are non-technical elements like risk management processes and program level prioritisation of resources based on identified risk."
Among the recommendations of the report are the need for urgent clarification of the roles and responsibilities within NHS governance and structure at both local and national level and the need for the health service to embed cyber safety into decision-making. "Many other sectors are more advanced in terms of awareness, governance and resource," it says. It also recommends training healthcare professionals in areas such as data literacy and cybersecurity.
Click here to go to the RAE's website from where both reports may be download.
