By Kanishk Gaur
Between March and April 2020, India has witnessed a staggering 86% increase in cyber-attacks. As per a Subex report, 51% of the registered cyberattacks were via IoT or internet of things devices.
Covid-19 has exposed even more security weaknesses in the Indian information infrastructure. As the internet becomes more pervasive, IoT devices are being put to use by almost all sectors. The Indian telecom industry is heavily dependent on the adoption of IoT to monetise 4G, and push forward 5G trials; the automotive sector is relying on IoT for connected vehicles. The oil & gas market, nuclear, manufacturing and chemical industries are keen to leverage IoT to manage supply chains, improve efficiency and reduce costs. However, a key challenge faced by multiple sectors is securing the internet of things. And, in this regard, no policy, standard or governance framework exists in India so far.
The Indian healthcare ecosystem is steadily moving towards smart medical devices, digital operation theatres and digital pharmacies, however, there is no call for standardisation from regulatory bodies such as NABH to safeguard Indian healthcare industry from cyber-attacks. Even though the new, advanced, medical equipment deployed in hospitals today are IoT enabled, and a majority of them are imported in India, sadly, there is no baseline criteria, labelling scheme available to test the security of these IoT-enabled medical devices.
The bigger issue is most of the sectors using digital technologies or integrating emerging technologies do not have a digital risk element defined by the sectoral regulators till date.
A lack of National cyber strategy highlighting the key risk to these sectors is still awaiting cabinet nod. Hence, fighting ransomware, advanced persistent threats and malware is becoming tough for the industry, which doesn’t have a framework to rely upon to test or audit their systems.
Earlier this year, the European body, ETSI, released consumer IoT security standard. The standard specifies high-level security and data protection provisions for consumer IoT devices which includes IoT gateways, base stations and hubs, smart cameras, TV, smart washing machines, wearables, health trackers, home automation systems, connected gateways, refrigerators, door lock and window sensors.
This standard provides a minimum baseline for securing devices and sets provisions for consumer IoT. It lays the foundation for setting strong password controls for IoT devices by stating all consumer IoT device passwords must be unique.
In India, and across the world, we see consumer IoT devices getting sold with universal default usernames and passwords (such as “admin, admin”). The biggest risk, with respect to IoT devices, is the use of universal default passwords.
A best practice to fix this issue is to set up unique pre-installed passwords for each device. Singapore is an excellent example in this regard. The Singapore market labels different kinds of IoT devices in categories and defined controls for each device. Under this scheme, each device entering the country gets labelled under a category and receives a unique code and defined guidelines to be followed to secure it. The scheme also sets a minimum baseline security standard for different kinds of IoT devices.
In a country like India, where IoT devices are imported from China, Taiwan and South Korea, a labelling scheme like this could tackle the security risk and also address issues with respect to privacy.
IoT, today, has larger consequences for industry, and hence multiple government department agencies have been working on IoT Security. IISC Bangalore has been leading research to build models to secure and manage data from IoT devices.
While many of the working groups under these ministries talk to each other through common committees such as BIS/ LITD, a common arrangement defining and allocating areas of responsibility and ownership is clearly missing.
These concerns were discussed in a recent event organised by “India Future Foundation” in partnership with the office of India’s National Cybersecurity Coordinator. A suggestion was to create a central working group under the office of National Cyber Security Coordinator Office, which could help these multiple departments collaborate on tackling IoT security threats.
Stakeholders from MeITY, DoT, C-DoT, Smart city councils also delved on the need to address security and privacy consideration, given India is currently moving to towards finalising the Data Protection Bill.
The government needs to create a national task force to tackle emerging safety and security risks in the field.
The author is founder, India Future Foundation