Cybersecurity of developing countries is most at risk! Gartner projects that more than 20 billion IoT devices will be connected by 2020. The security of these Internet Of Things (IOT), relating to cyber security, in a broader sense hinges on service continuity and availability. Whether it be a DDoS attack that affects the availability or a malicious attack on the configuration that brings down the IoT device(s) or exposes private data, they all converge on the concept of cybersecurity.
LIRNEasia partnered with Vanuatu Office of the Government Chief Information Officer, Prime Minister’s Office, Netherlands Radio communications Agency / University of Twente and the Internet Society (ISOC) in introducing the Raster Tool and engaging the participants in an IOT cybersecurity assessment exercise. It took place at the Asia Pacific regional Internet Governance Forum (APrIGF2018) in Port Vila, Vanuatu (13-16 Aug, 2018). The intention, of our workshop, was to awaken people and give them a good start to replicate our methods to study their institutional IOT weaknesses using the Raster method to, then, step-wise assess and refine those vulnerabilities (supporting Slides).
The participatory exercise involved considering an earthquake alarm system for Myanmar, a high connectivity country. Most downtime in Asia Pacific is caused by ‘natural’ equipment failure (weather and damage), software errors, or plain mistakes by personnel. Hence, continuity and availability requires more attention. Awareness of dependencies, awareness of vulnerability of IOT is the first step, one that many organisations have not taken yet. See short Video for a quick message on IOT security.
The audience realized how easy it was to apply the simple and easy to use tool for securing their own IOTs in their communities. They were able to realize the single and common failures; thereafter, determine a mitigation strategy for ‘quick wins’. From the past experience, MPT network was perceived as the weakest-link. Mitigating the signal drop and strengthening the reliability of the power, with small solar panels and battery, were recommended by the participants for securing continuity.
Workshop discussions and lessons learned
Confidentiality, Integrity, and Availability are three aspects. In practice “cyber” is almost exclusively associated with confidentiality and integrity; instead of cyber security in a broader sense. What we learned was that for most governments and corporations, ineffective protections against hackers have been more pressing than preventing accidents because they believe that the reliability of infrastructures is excellent. This tends to lull organisations into a false sense of safety.
Prior to the exercise, ISOC set the tone with prevailing Cybersecurity challenges in Asia and the Pasific; in par with their 2018 IOT Security agenda (beyond consumer security). ISOC’s Naveed Haq (Director AP Development) and Raul Echeberria (VP Global Engagement) elaborated on Inward and Outward Security. Raster tools is designed to support the analysing the outwar security; i.e. “focus on potential harms that compromised devices and systems can inflict on the Internet and other users.” ISOC slides with a quick overview of all prevailing issues and active interventions.
There was an extensive discussion on regulating IOT devices. Telecommunications equipment must abide by national telecommunications regulatory standards and are checked by the regulating authority for frequency and power. However, they do not check the the firmware and any security glitches. For an authority to guarantee all security aspects of IOT devices would be similar to the Food and Agriculture Authority ensuring the safety of every food item on the market shelves.
Many of today’s IoT devices are rushed to market with little consideration for basic security and privacy protections. The participants agreed that self-regulation was the key. Cheaper the device, the less secure the components might be. Reputed vendors employ greater efforts and resources to ensure security but at a higher cost per device. The Online Trust Alliance (OTA) has more than 100+ industry, government, and consumer advocates contributing to a framework with a set of actions to raise the awareness of IOT devices.