Singapore

Universal approach to secure devices needed: Study

Study sets out several proposals for cyber security

Unsecured surveillance cameras, routers, industrial sensors, smart energy meters and connected medical devices are rising in numbers, threatening to be a source of mayhem in an increasingly "smartened-up" world.

But a universal approach to safeguard these connected devices - collectively known as the Internet of Things (IoT) - is needed.

After studying the threat landscape for about a year, Singapore's Cyber Security Agency (CSA) and its Dutch counterpart - the Ministry of Economic Affairs and Climate Policy - have concluded that government bodies need to play a more active role in tightening legislation and form a universal certification regime to improve the security of IoT devices.

RECOMMENDATIONS

These are among several recommendations, including technical ones, highlighted in their 107-page joint study titled The IoT Security Landscape, released yesterday.

"Since IoT is a global phenomenon and is not limited by national boundaries, it is essential to align country-specific legislation and adopt a coherent global approach to IoT security," said the study.

Liability laws can be updated to cover security issues and not just safety issues related to property or health harm. This puts the burden of finding, correcting and warning consumers of IoT security dangers on manufacturers.

Certification for IoT devices could be similar to the international ISO standard for, say, quality management, with some baseline measures such as over-the-air security firmware updates for IoT devices.

In making their call for change, CSA and its Dutch counterpart pointed to 2016's massive Internet outage on the east coast of the US that cut off access to websites of The New York Times and Spotify, among others.

The outage was caused by a piece of malware called Mirai, which infected and turned as many as 600,000 Web cameras, printers and baby monitors into "zombies" to overwhelm service provider Dyn's systems in what was a distributed denial-of-service (DDoS) attack.

DDoS attacks work by having thousands of infected devices accessing and overwhelming a targeted site, causing a huge spike in traffic.

"Vulnerable IoT devices are deployed fast globally and with unknown lifespan, while... common standards and technical solutions for cyber security in IoT are lacking," said the joint study.

Market research firm Gartner estimates the number of IoT devices in use globally will grow from 8.4 billion in 2017 to 20.4 billion by next year. Some government agencies, academic institutes, industry alliances and IoT vendors have initiated ways to tackle IoT security challenges. But there is limited coordination, resulting in market confusion.

"IoT product developers and vendors... may find themselves overwhelmed, or they may take advantage of the lack of clarity to do nothing at all," said the study, which also called for the harmonisation of security recommendations and guidelines.

"Given the continuing exponential growth in the number of IoT devices, there is no time to lose," the study said.

Technology