The IMDA (Infocomm Media Development Authority) has published its Internet of Things (IoT) Cyber Security Guide. As the impact of Covid-19 forces a global move towards work from home (WFH), the timing could not have been better.
The guide has taken a year to produce and comes after a public consultation in 2019. While the main focus of the guide seems to be enterprise IoT developers and providers, IMDA has also looked at those who buy and interact with IoT systems. This latter group is large and growing. Building systems, manufacturing, finance, agricultural, education, law enforcement and the home all fall into this group. However, it is unlikely that everyone in that group will read the documents.
One of the goals that IMDA set out to achieve was to provide lists of questions and checklists. This it has achieved and the various documents will provide a good start point for new projects. Even those who are experienced in buying IoT systems will find additional questions and approaches to consider.
IMDA Deputy Chief Executive, Ms Aileen Chia, said: “As companies deploy more IoT systems and devices to improve business efficiency and productivity, it also exposes them to more cyber security threats and vulnerabilities. I encourage companies and vendors to adopt the new IoT Cyber Security Guide and take cyber security into consideration early at the point of designing and developing their IoT systems to better protect their businesses from cyber security threats and the damage they bring.”
What is in the IMDA guide?
The guide is split into three documents. The first document focuses on enterprise users of IoT and delivers a set of guidelines for both the implementation and the operational phase of deploying IoT. The separation between implementation and operation is important. The four principles it provides are applied to both states with different levels of questions and actions. There is also a threat modelling checklist that can be used to assess cyber security for IoT. However, the most important part of this for many organisations is the Vendor Disclosure Checklist. It is fair to say that a lot of vendors will be exposed by this and the checklist is adaptable to other technologies.
The second document deals with foundational concepts. It is short and to the point. Importantly, it introduces the CIA triad for use in IT and OT. For those not familiar with it, CIA stands for Confidentiality, Integrity and Availability. As the report states: “IT and OT have different emphasis on the CIA triad.” It exposes one of the problems of bringing together IT and OT systems but provides a way to square the circle, so to speak.
The last document looks at a case study on home control systems. Many of the systems used in homes are also appearing in offices and not just at the SME level. In addition, IoT provides a risk factor for business users in the current WFH environment. The security checklist in this document is backed by a set of comprehensive plans on how to define a security policy. It goes far beyond the current enterprise checklist of endpoint software and VPN. Importantly it defines the need to separate home use from business use.
Singapore stepping up the IoT security fight
Around the world, governments are beginning to realise how screwed IoT security is. Many see the phrase ‘Secure IoT’ as an oxymoron. They have, to a degree, a provable point. The problem is that many vendors chose not to spend the money on securing the connectivity section. This is justified along the lines of: “we are not a security company.” This is not just about the home. Look around the office and see how much consumer IoT is in place and industrial IoT is little better when it comes to security.
Matt Walmsley, EMEA Director at Vectra, commented: “The intention to educate and enable consumers around better security practices for their IoT devices is clearly positive and fills an unmet need. That said, voluntary schemes such as Singapore’s recently announced Cybersecurity Labelling Scheme for IoT devices will likely only get picked up by the sub-set of vendors that are proactive about their customers’ and product’s security.
“The CLS’ proposed “security rating” scheme aims to indicate and differentiate products “with better cybersecurity provisions” appears to be a simple idea focusing on basic good practices but could be complex to ensure ratings are kept up to date as software gets revised and vulnerabilities get identified. I think Singapore’s CLS announcement is more of a positive statement of intent that needs more development in order to be robust and pervasively used.
“Here in the UK, the government initially pursued a similar voluntary scheme around IoT security but soon realised it would have no teeth, and so turned to legislation instead.”
Enterprise Times: What does this mean
Legislation is one thing but turning legislation into practice takes time and process. Process is what is missing in the IoT space when it comes to assessing the security risks for IoT. A more important benefit here is that this document from IMDA might also close the gap between engineering and IT when it comes to IoT deployments. Giving engineering teams the vendor disclosure checklist to be completed by the suppliers is a good way of getting missing information.
The most important thing of all here is that IoT security is now being taken seriously. The checklists and questions here can be worked into any cyber security policy document. They can also be aligned with any compliance controls an organisation might have.
Additionally, by extending it to deal with the home, IMDA has made sure that WFH does not mean “no security controls.”