Kevin Kwang: My baby monitor started a cyberattack? IoT industry suffering from security growth pains
There are currently no established Internet of Things security standards, and Singapore recognises that steps need to be taken to ensure minimum standards of protections in this space, says CSA.
SINGAPORE: Remember the time when StarHub’s broadband services suffered two outages, and the telco attributed them to cyberattacks on customers' compromised Web devices such as webcams and routers?
Or reports that hackers are spying on us through our baby monitors and home cameras?
Just this February, an Austrian cybersecurity company SEC Consult warned that the baby monitor Mi-Cam by Hong Kong-based company miSafes has vulnerabilities that would allow hackers to spy on the device including video footage. The device has more than 50,000 users.
These Internet security concerns are increasingly pushing themselves to the surface as more and more devices get connected to the Internet. And many of them are home appliances like fridges, washing machines and, yes, baby monitors that were not traditionally associated with being on the World Wide Web.
For manufacturers, security is a cost, said Mr Frederic Donck, regional bureau director for Europe at Internet Society.
If they do not have a compelling reason to factor it in their process - say, from regulation - then they would not, he added, shedding more light on the state of affairs.
“These are guys who don’t know about security issues,” Mr Donck said in an interview. “If I’m a small company making children’s toys in China, why would I care about securing how these are connected to the Internet?”
It is not just the makers of these Internet-enabled devices. More thought should also be paid to when consumers discard these appliances, Mr Donck pointed out.
“What happens to that toy or device that is discarded but continues to send data?” the Internet Society executive said. “The ability to switch off (a device’s Internet connectivity) should be enabled.”
Internet of Things (IoT) network operator, Unabiz, concurred, saying that security has to be addressed across the entire production cycle.
“As a matter of fact, security is most times an afterthought (when) it should be by design,” it said.
HACK ONE, EXPOSE ALL
If we see the issue of IoT security in the context of the wider cybersecurity ecosystem, then the problem becomes more acute.
Mr Francis Prince Thangasamy, vice president of IT Services and Managed Hosting for Asia Pacific at CenturyLink, said with Singapore being an important business and technology hub in the region, its systems are “ripe targets”.
Mr Thangasamy said: “Enterprises, services and networks are interconnected with thousands of companies and billions of devices worldwide.
A single successful cyberattack on any parts of the ecosystem will open up access to the entire network and sensitive data within and beyond the organisation or country, making it complex to manage and secure.”
Additionally, the country sits in a region that botnets - networks of compromised computer systems that can be remotely controlled by hackers to conduct cyberattacks - are rife.
The CenturyLink 2018 Threat Report showed that the top 5 Asia Pacific countries with bots are China, India, Japan, Taiwan and South Korea - with China coming in second and India tenth in the global rankings.
SMART CITIES? SECURE THEM TOO
This issue of securing Internet-connected devices take on an added layer of importance and urgency when you consider how governments around the world are moving towards using these to enhance urban planning and management of their cities and countries.
Singapore, for example, has stated its intention to fit its streetlights with sensors that could potentially help with everything from monitoring the climate to implementing facial recognition tools to track errant motorists or flag when an accident has taken place.
This project is part of its Smart Nation Sensor Platform - one of five strategic national projects underpinning its Smart Nation ambitions.
Asked how the Government intends to secure these systems as they get rolled out, the Cyber Security Agency of Singapore (CSA) told Channel NewsAsia that agencies work closely to make sure that a device or project’s security design and architecture is resilient.
Elaborating, CSA said it actively advocates a “security-by-design” motto in project implementation and this involves a three-step process. The first is to conduct threat risk assessments to identify the device or network to protect and what are the potential consequences if security is compromised.
The second step is to review the system design and incorporating security considerations and requirements, while the last step is to carry out acceptance tests to make sure security measures are in place to address potential security risks.
“Subscribing to security-by-design reduces piecemeal implementation and the need for costly and often ineffective retrofitting,” the agency explained.
That said, CSA pointed out that there are currently no established IoT security standards.
This lack of standardisation is highlighted through the responses of two well-established consumer electronics giants and their stance in securing appliances.
Korean manufacturer LG, for instance, said that there are no specific guidelines, here or other markets, to securing its devices like smart TVs. It noted its smart TVs are certified by Underwriters Laboratories’ Cybersecurity Assurance Program as well as Common Criteria, an international standard for computer security.
Another major player, Samsung, pointed us to its blog that stated it has incorporated its mobile security technology Knox to its other connected devices like smart TVs and signages. “Knox technology includes a hardware security system and firmware updates to ensure devices are protected,” it wrote.
CERTIFICATION SCHEME FOR IOT DEVICES BEING EXPLORED
CSA, for its part, said Singapore “recognises that steps need to be taken” to ensure IoT products and services meet minimum standards of protection.
Already, at the national level, several technical references relating to this have been published. For instance, TR64 was recently developed and published by the IT Standards Committee, under the ambit of the Singapore Standards Council, and it provides guidelines to safeguard the confidentiality, integrity and availability of large-scale IoT systems.
It will also be exploring an evaluation and certification scheme to provide a security hygiene benchmark for IoT devices, the agency revealed.
This was a suggestion made by Internet Society’s Mr Donck too, who said IoT manufacturers need to be more accountable and invest in security.
The organisation, in its IoT security for policymakers paper published this April, recommended credible security certification schemes as a means to increase the incentives to invest in security.
“Certification, by which an organisation signals that a product, service or system has passed a set of quality or performance tests, can be a powerful and visible signal of compliance to know whether an IoT device uses best practices or standards,” it said.
Mr Donck suggested a certification scheme similar to what consumers see with washing machines, TVs and air-conditioners today: A visible indicator to show how water or power efficient the devices are, so consumers can make a more informed choice.
At the end of the day, having a secure IoT ecosystem benefits everyone - from the parent using a baby monitor to the government looking to tap on sensor data to better manage the country.
“Security is one of the key factors driving IoT adoption,” CSA said.
“Without the assurance of security, Singapore will not be able to ride on the IoT wave and benefit from its far-reaching possibilities.”
Source: channelnewsasia
Latest Jobs
-
- Google Cloud Data Engineer
- London
- Up to £90,000 Base
-
Google Cloud Data Engineer London Salary: Up to £90,000 Base We are currently working with a leading Google Cloud partner who are currently looking for a Google Cloud Data Engineer in London. The Google Cloud Data Engineer will be responsible for projects designing and implementing data cataloguing platforms using Google Cloud. Current Experience Required: Google Cloud (MUST be Google Cloud Professional Engineer Certified and worked on recent GCP/Google Cloud Projects). Data Analytics (Data Engineering, Data Mining, Data Cataloguing etc.) Cloud PUB / SUB Candidates must be UK based and commutable to London. Candidates outside of the EU can not be sponsored Apply for more information or call Peter Georgiou on 02086634030. Ref: PG7692
-
- Microsoft Azure Sales Consultant
- London
- Up to £100,000 Base + OTE
-
DCL are currently working on behalf one of the fastest growing service providers in London who are on the lookout for a consultative Microsoft Azure Sales Consultant. The Microsoft Azure Sales Consultant will be responsible for selling (opening and closing new business opportunities new business) and being the SME in all things Cloud providing support to other members in the sales team. Preference will be given to the Microsoft Azure Sales Consultant who possesses Exceptional knowledge of Cloud Technology (Public / Private / Hybrid.). Current experience with technology such as Azure, AWS, Office 365 is required Proven sales experience of identifying and closing new business within the Cloud market. Must be currently selling into the enterprise market. Consistency on tenure in current and past roles. New business background is a must In return you will be working for a successful, growing SME organisation with excellent training and sales support from pre-sales, post-sales, project management, service management, bid management, pricing and customer service. Candidates must be UK Based. sponsorship can not be provided for this role. Reference Number: BD7690 (Cloud Sales Jobs, Cloud Computing Jobs, Cloud Computing Sales)
-
- Senior Incident Cyber Response Consultant
- London
- Up to £75,000 Base
-
Senior Incident Cyber Response Consultant with Forensic experience is needed to join a global consultancy whose cyber business unit are continuing to their investment in the growth of their team. From my perspective, as a recruitment partner, this is a particularly interesting and exciting opportunity. Not only is the team in an active growth mode, but they have varied, high profile and interesting projects for their team. Globally recognised. This is an opportunity to drive and grow a career. Experienced Senior Incident Cyber Response Consultant is needed to help take clients through the complete IR / triage process. The position is be client facing and will be expected to engage with clients at a commercial level. Proactive IR planning is also key to the position. The Senior Incident Cyber Response Consultant will not hold a sales target, but any previous experience in identifying and generating revenue is highly sort after. A broad forensic background would be highly desirable also. An ideal Senior Incident Cyber Response Consultant will be CREST CCIR, CCIM certified. Experience with forensics is highly desirable. Any of the following are very desirable also CREST Certified Network Intrusion Analyst (CCNIA) CREST Certified Host Intrusion Analyst (CCHIA) CREST Certified Malware Reverse Engineer (CCMRE) CREST Practitioner Intrusion Analyst (CPIA) An individual must be London commutable Key attributes should also include; stakeholder engagement, mentoring of team members, a collaborative working style. Technical experience must include; demonstrable experience within cyber incident response, Forensic, cyber etc. Additional certifications could / should include GIAC certified (Intrusion analyst, incident handler, forensic handler) The opportunity for an individual to conduct malware research and analysis is actively promoted. Career development and the opportunity to influence, apply today for more information or call Chris Holt on 07884666351 or 02086634030 or email chris.holt@dclsearch.com Unfortunately, our client are unable to provide sponsorship for this opportunity. Candidates must be UK based. Ref: CH7679 (Incident Response Jobs, CREST Jobs, Digital Forensics Jobs, IR Jobs)
-
- Principal Electrical Engineer
- London
- Salary: Up to £90,000 Base + Bonus
-
Principal Electrical Engineer Location: London Salary: Up to £90,000 Base + Bonus A Principal Electrical Engineer is needed for a state of the art, London based Data Centre provider. The Principal Electrical Engineer will be responsible for all of the Mechanical & Electrical components (support, development/design etc.) within our clients Data Centre’s. Other responsibilities include but not limited to; Commissioning, approving, design & review/improvement of new data centre infrastructure Commercial’s (Contract negotiation, project finances etc.) Project management Training/Development of other staff General engineering tasks Requirements HND / Degree in Engineering or equivalent. Must have current/recent experience (ideally in a senior position) within a mechanical & electrical position within a Data Centre environment Candidates must be UK based and unfortunately, our client are unable to provide sponsorship Ref: PG7600 (M&E Jobs, Mechanical & Electrical Jobs, Engineering Jobs, Data Centre Jobs, Data Center Jobs)