Government, industry, system operators, and the engineering profession, must act together in a coordinated way to improve cyber safety and ensure that the Internet of Things develops in a secure and trusted way, say two new reports published by the Royal Academy of Engineering (RAE) and the PETRAS Internet of Things research hub.
The reports, respectively Cyber safety and resilience: strengthening the digital systems that support the modern economy, and Internet of Things: realising the potential of a trusted smart world, together cover the Internet of Things and other digitally connected systems such as industrial control systems and building management systems.
They acknowledge that digital technologies ‘have a huge variety of applications’ – from industry-level uses such as electricity generation plant, to consumer applications such as fitness devices and smart home hubs, and that the integration of physical and digital systems ‘creates many opportunities to realise economic, social and environmental benefits’. However, they warn that digitally connected systems ‘need to be designed with safety and resilience in mind to minimise future risk’. This is essential, the RAE and PETRAS stress, due to their vulnerability both to cyberattacks and non-malicious events such as natural hazards, or the failure of components, and the impact where systems are interdependent.
The RAE said: “Cyberattacks on connected health devices are of increasing concern, as they could have severe consequences on patient safety. Ever greater numbers of health devices have been identified as being potentially at risk, including pacemakers and MRI scanners.” The working group held a workshop with health agencies, manufacturers, and government security advisors to discuss how best to address these issues.
As the number of IoT devices increases in homes, workplaces, and public spaces, the studies also consider the potential for more aspects of people’s lives to be observed. The RAE said: “IoT devices can violate norms of private space – for IoT systems that control or process personal data, there may also be privacy threats from data sharing.”
The reports recommend that ‘the evolving nature of the challenges will require continual responsiveness and agility by government, regulators, organisations, and their supply chains’. While conceding that ‘there is no silver bullet for improving cybersecurity and resilience’, they call on organisations to demand that products are ‘secure by default’, and recommend a number of measures, including:
-
Mandatory risk management procedures should be considered for critical infrastructure, aligned to industry standards. These should set out guiding principles for cyber risk management during design, operation, and maintenance.
-
Supply chain transparency – cybersecurity policies should require that there is transparency throughout the supply chain about the level of cybersecurity provided in products and services.
-
International ‘umbrella agreements’ on IoT – the UK government should, in tandem with other governments and international institutions, work with the main providers of IoT components, devices, and systems, towards ‘umbrella agreements’ that set out an international baseline for IoT data integrity and security ‘for all parties to adopt’.
-
Ethical frameworks that are appropriate to support ethical behaviours on IoT should be developed and applied to help minimise risks to society.
The reports also highlight that the UK in a strong position to lead the development of appropriate international standards and regulation, ‘as a result of its world-class expertise in cybersecurity, safety-critical systems, software engineering, hardware security, artificial intelligence and social sciences’.
Professor Nick Jennings CB FREng, Vice Provost at Imperial College London, and lead author of Cyber safety and resilience: strengthening the digital systems that support the modern economy, says: “Connected systems underpin improved services, drive innovation, create wealth, and help tackle some of the most pressing social and environmental challenges. The reports we are publishing today identify some of the measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure on which much of our society now depends. We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly.”
Paul Taylor FREng, UK lead partner – Cyber Security at KPMG, and lead author of
Internet of Things: realising the potential of a trusted smart world, says: “There is no going back on the Internet of Things; it is here to stay and offers many new capabilities. We should embrace it with a strategy that goes beyond IoT towards the ‘Internet of Everything’, with a greater focus on people, data and processes.
“Government needs to consider whether existing regulation is fit-for-purpose, and how IoT interacts with new EU regulation such as the NIS Directive (security of Network and Information systems) or GDPR where IoT processes or controls personal data.”
Both reports identify the importance of digital skills. They call on government to ensure that current reforms to post-16 education, such as ‘T levels’ and new apprenticeships standards, include appropriate levels of skills development for end-users who will implement IoT in the workplace. Investment in design and technology education, ‘as a subject that provides excellent opportunities for young people to understand the interfaces between physical and digital systems, as well as practical opportunities to apply this’, is also recommended, following the example of recent investment in computer science in schools.