David Rogers discusses the UK’s world-leading work on securing future connected products and networks and some of the challenges ahead.
Hostile attacks upon UK cyberspace were designated a Tier 1 threat to national security in 2010. This unlocked funding for the National Cyber Security Strategy. In its second, current, iteration, to 2021, the government seeks “to significantly reduce the ability of our adversaries to conduct cyber-crime in the UK by ensuring that future online products and services coming into use are ‘secure by default’”.
An over-arching goal is to make the UK the safest place to live and do business online.
As a result of the 2014 report The Internet of Things: making the most of the Second Digital Revolution by the Chief Scientific Adviser, Sir Mark Walport, it was recognised that, along with the immense benefits of the Internet of Things (IoT), there were huge risks. These could be broken down into two main aspects – issues that caused consumer harm directly (for example someone’s webcam being accessed and viewed), and those that caused wider harm, often without the user’s knowledge.
The second of these was potentially a national security risk. This was driven home with the appearance of the Mirai botnet direct distributed denial of service (DDoS) attack in 2016, against individuals and organisations, notably the NHS. More widely it was recognised that there were potential physical-safety, harassment and child-safety issues.
In 2017 I joined an expert advisory group that comprised people from industry, government and academia and that looked at the problem. In March 2018 we produced a report laying down a code of practice designed to address the fundamental problems faced, particularly around IoT devices.
The project was led by Emma Green, DCMS Head of Cyber Security Incentives and Regulation, and Peter Stephens, Head of Secure by Design. As the author of the code of practice I can say that it was a massive team effort. Each group member brought a particular focus to the project. This, along with the support of politicians, industry and consumers, meant something was delivered.
In collaboration with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO), the code was refined, developed and prioritised. Consultation took in views from the security research community, those in industry who were already demanding better security in the IoT, and loose-knit organisations from the hacking community such as IAmTheCavalry.
It was recognised early in the process that there were ongoing unacceptable practices in the IoT development ecosystem, whilst there were other good practices that were in desperate need of adoption. Priorities were set in the top three items of the code: no default passwords; action required on and implementation of a vulnerability disclosure policy; and ensuring that software updates were available for devices. The code settled on 13 guidelines that aimed to raise the bar in cyber security, not just regarding devices, but in the surrounding ecosystem. Particularly, the security burden was shifted from consumers to device manufacturers and the companies responsible for the products. Supporting studies were conducted by the PETRAS IoT academic research consortium, for example into product labelling.
DCMS is not a standards organisation and there were already multiple recommendations from around the world, so the approach was to keep standards high, not to redefine them. A detailed plan was likely to have been over-specific and could have significantly constrained innovation. It was also realised that the ability to inspect items externally and the transparency of their security features (or the lack of them) was crucial. This was much easier for the priority top three items, since consumers themselves could see default passwords, they could check whether it was possible to report vulnerabilities to the manufacturer through a webpage, and they could discover whether there were updates available. The top three served as ‘insecurity canaries’ – if an IoT product failed to meet these guidelines, it was likely that all was not well in the rest of the product.
The success of the code is down to multiple factors. There was demonstrable market failure with IoT products being easily hacked, causing damage and with the real potential of a death. The market was ready; companies had already been developing recommendations, but not at the pace that was necessary. Recognising the global nature of the IoT and its supply chain, the code took an international approach and was translated into seven languages. The government published an extensive mapping to IoT recommendations and guidance around the world, provided as open data so that anyone could use it. International alignment continues and the code was submitted to the European Telecommunications Standards Institute (ETSI), becoming ETSI Technical Specification 103 645 in January 2019. This work is well on its way to progressing to a full European standard (EN) by July 2020.
Following further public consultation, the UK has stated that it intends to legislate on the top three concerns in the code of practice – the banning of default passwords, enforcing the ability for security researchers to submit vulnerabilities to IoT companies, and ensuring that there is greater transparency around software updates.
Other countries and states have followed suit, such as Australia, Finland and Singapore. Some have approached the challenge differently: the US has a large-scale project within its National Institute of Standards and Technology (NIST). These projects will converge at the International Standards Organisation (ISO), but that takes a long time. The UK’s proactive stance addresses the issues now rather than in 10 years.
IoT security code of practice
- No default passwords
- Apply vulnerability disclosure policy
- Keep software updated
- Store credentials and data securely
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data he full report is available at www.gov.uk/government/publications/secure-by-design-report
Risk can never be eliminated, but it can be reduced and managed. Trust is something that needs to be gained and relied upon. It is not simply about technology. Between businesses and governments, trust is about keeping promises and whether statements or actions are truthful and verifiable. Large businesses have been affected by ransomware attacks that have crippled operations. Governments are finally beginning to acknowledge cyber-crime and take it seriously.
The 5G vision of a collection of technologies, including different types of IoT devices across multiple sectors, opens a new set of issues around the ‘cyber-physical’ space: attacks no longer stay in the virtual domain. Cyber attacks can interact with real-world objects or systems, with catastrophic consequences. In farming, for instance, this could mean the loss of irrigation; in a heavy industrial company, the complete destruction of a blast furnace; and in the automotive sector, it could mean cars stopping in the middle of the road. All such disasters could halt the economy.
Hostile nation states are already seeking to take advantage of the weakest links, which can be the most effective points of attack. In addition, networks are shifting from a world in which individual hardware boxes make up a network, to a virtualised one with all the functions now built into software. This provides greater speed and reliability but means that you’re exposed in new ways.
Increasingly, a drive to reduce costs has meant that security is often at the end of a long list of requirements. Government has a role here – to level the playing field such that everyone must provide an acceptable bar of security for entry into the market, affording every citizen a certain guarantee of protection.
Companies are also increasingly relying on open-source software – that is, software that is developed by a community of individuals openly and collaboratively and released for anyone to use under a licence. Although open source is visible for peer review, attackers aren’t going to submit a fix for security flaws they find! This concern, combined with companies’ lack of attention to keeping up-to-date with open-source libraries in their products and services, can be a real issue for security.
Risks mean extra attention has to be paid to the fundamentals of how networks are built from the ground up and how to make them more resilient. That means building defence-in-depth, persuading mobile network operators not to rely on single vendors so that they spread the risk, and validating that what is being built doesn’t contain known security vulnerabilities and flaws. It isn’t possible to create a flawless system or to design software and hardware without the possibility of security vulnerabilities; however, acknowledgement of this fact leads us to the conclusion that companies need to stay on top of security research and have systems and processes in place. While the country-of-origin of a product or service is clearly a security consideration for both companies and governments, if the product or service can be validated thoroughly and meets a good level of product security together with other cyber security measures, the source country matters much less. If a product or service supplied from anywhere in the world is fundamentally insecure, any country could theoretically attack it successfully; it doesn’t matter where it originally came from.
There are many factors in the telecommunications supply chain to consider, including hardware security, cryptographic key management, logistics, testing, auditing and work on security vulnerability management. From an industry perspective, many of these areas have been opaque to mobile network operators for some time, with vendors supplying products that have had little-to-no security. Operators have not been willing to pay more for security and have squeezed vendors for lower-priced products. They’ve not really questioned the delivery of products with basic security flaws. Throughout the world, there is a shortage of security-focused engineers. Security must be a core component of modern technical degrees and training, but companies also need to ensure that, as part of their efforts to increase security, they invest in their existing staff to train them on product and cyber security.
About the author
David Rogers MBE is a security specialist who runs Copper Horse Ltd, based in Windsor, UK. His company is currently focusing on security and privacy research for the Internet of Things as well as future automotive cyber security. He chairs the Fraud and Security Group at the GSMA and sits on the Executive Board of the Internet of Things Security Foundation.