Government, industry, system operators and the engineering profession must act together in a coordinated way to improve cyber safety and ensure that the Internet of Things develops in a secure and trusted way, according to two new reports ([1] & [2]) published today by the Royal Academy of Engineering and the PETRAS Internet of Things research hub.

If the government and manufacturers don’t keep on top of smart technology, wrongdoers could cause people genuine harm, and even death in extreme circumstances. Professor Nick Jennings Vice Provost

The reports together cover the Internet of Things and other digitally connected systems such as industrial control systems and building management systems. They highlight that digital technologies have a huge variety of applications from industry-level uses like electricity generation plant, to consumer applications such as fitness devices and smart home hubs, and that the integration of physical and digital systems creates many opportunities to realise economic, social and environmental benefits across business and society.

The reports also warn, however, that digitally connected systems need to be designed with safety and resilience in mind to minimise future risk. They could be vulnerable both to cyberattacks and non-malicious events such as natural hazards or the failure of components and the impact can be increased where systems are interdependent. Cyberattacks on connected health devices are of increasing concern as they could have severe consequences on patient safety. Ever greater numbers of health devices have been identified as being potentially at risk, including pacemakers and MRI scanners. The working group held a workshop with health agencies, manufacturers and government security advisors to discuss how best to address these issues.

As the number of IoT devices increases in homes, workplaces and public spaces, the studies consider the potential for more aspects of people’s lives to be observed. IoT devices can violate norms of private space – for IoT systems that control or process personal data, there may also be privacy threats from data sharing.

The reports recommend that the evolving nature of the challenges will require continual responsiveness and agility by government, regulators, organisations and their supply chains. While they conclude that there is no silver bullet for improving cybersecurity and resilience, they call on organisations to demand that products are ‘secure by default’, and recommend a number of measures, including:

  • Mandatory risk management procedures should be considered for critical infrastructure, aligned to industry standards. These should set out guiding principles for cyber risk management during design, operation and maintenance.
  • Supply chain transparency – cybersecurity policies should require that there is transparency throughout the supply chain about the level of cybersecurity provided in products and services.
  • International ‘umbrella agreements’ on IoT – the UK government should work with other governments and international institutions – with the main providers of IoT components, devices and systems – towards ‘umbrella agreements’ that set out an international baseline for IoT data integrity and security for all parties to adopt.
  • Ethical frameworks that are appropriate to support ethical behaviours on IoT should be developed and applied to help minimise risks to society.

View the full original article at the Royal Academy Of Engineering blog site by clicking the button below.