Industry view must be considered while preparing IoT security policy and standards in India
By Kanishk Gaur
State-sponsored data breaches have become one of the significant pain points for the Indian government and companies. Recent attacks on utilities and data breaches for some large consumer tech start-ups show that India needs to tackle this issue seriously. Moreover, this issue is compounded by the fact that the country does not have any standards to secure the internet of things and connected ecosystems. There are no baseline tests to certify such products.
The changing geopolitical scenario and the emerging threat landscape has led to a surge in the overall attack surface on the Indian information infrastructure, as the country has increased the adoption of connected devices and services, and upgraded its critical infrastructure.
India’s ambitious projects on digital, smart connectivity have a major dependency on the internet of things (IoT) devices and applications, however so far there is no policy, standard or framework that India can leverage to secure them. With increased cloud and emerging technology usage and rapid 4G adoption, industry has also been facing problems.
Given that 90% of cyber-attacks are on legacy systems, digital transformation must be the first step for the industry to take consider security.
The challenges for data integration, such as lack of testing framework, absence of end-to-end solution testing, need for IoT SoC and lack of skill in IoT need to be addressed. With no data protection policy, managing privacy and security requirements becomes another grey area. Any policy for IoT devices must have architecture specification defined in it.
Narendra Nath, joint secretary, National Security Council Secretariat highlighted the need to secure personal and non-personal data related to IoT devices following the IUDX (Indian Urban Data Exchange) model.
At a recent IoT Security and Safety awareness conference organised by India Future Foundation, Lt General Rajesh Pant, National Cybersecurity Coordinator, spoke about measures to enable a connected ecosystem via progressive policies. He also praised the IoT labelling scheme by cybersecurity agency of Singapore and how it can be a best practice for Indian IoT security framework.
The Cyber Security Agency of Singapore (CSA) has launched the Cybersecurity Labelling Scheme (CLS) for consumer smart devices to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace. Under the scheme, smart devices will be rated according to their cybersecurity provisions to enable consumers to identify products with better cybersecurity features to make informed decisions.
Currently, smart consumer devices are often designed to optimise functionality, cost and have a short time-to-market cycle, where there is less scope for cybersecurity to be incorporated into product design from the beginning. However, Singapore government will introduce the labelling scheme to Wi-Fi routers and smart home hubs. These products are prioritised because of their wider usage, as well as the impact that a compromise of the products could have on users.
In the UK the Department for Digital, Culture, Media and Sport (DCMS) has been leading the UK’s work to improve the cybersecurity of consumer IoT products.
DCMS is developing legislation to ensure that IoT products have security built into their design before they are put onto the market, thereby protecting consumers while promoting innovation. As part of this work, DCMS has been extensively engaging with other governments such as India and Singapore to share best practice and encourage alignment. Additionally, DCMS has contributed to international standardisation efforts, particularly, the recent drafting of the European Telecommunications Standards Institute’s EN 303 645–the first international standard for consumer IoT security. In preparation for legislation, DCMS is currently refining its regulatory approach including the products in scope, the security requirements that must be adhered to, the proposed obligations for producers and distributors, and potential enforcement measures.
There is a need to synchronise the inputs of the industry to determine the new policy. The Indian government is preparing the National Cyber Security Strategy and is seeking cabinet approval. However, IoT is a key aspect that the new Cyber Security Strategy must address given its wider implementation in programmes, such as smart city, and sectors like healthcare, manufacturing, telecom, automotive, oil & gas.
The cybersecurity strategy must be in sync with the new emerging tech policies govt is preparing. There is a proper allocation of resources and budget for successful implementation in India.
The author is founder, India Future Foundation. Views are personal