Internet of Things (IoT) ecosystems are underpinning more and more services across the UK.
They have their place across the public sector and our critical infrastructure, supporting the efficiency and resilience of the country in delivering vital services. Before we look at cyber security in an IoT context, it’s worth recounting how we arrived in a connected world.
The history bit
The forerunner to IoT is really the PSTN (Public Switched Telephone Network). It is one of those great inventions that led to subsequent innovation and provided several tipping points of economic growth and prosperity around the world. The same is looking to be true for IoT.
British Telecom (BT) and its supply chain have been a leader in this area. If I recall from my time as an apprentice at GPT, a leading manufacturer of Carrier-Grade telephony systems at that time, the software control and developments took ~6000 man-years of cumulative development hours across 1976 to 1981. Clearly a significant amount of time (and effort!), especially noting the tools and methods back then seem archaic compared to the ‘no-code’ artificial intelligence toolsets of today.
BT at one time also boasted the largest database in the world, storing CDRs (Call Detail Records). This is the ‘data monetisation’ organisations seek today, and also why the PSTN is the seen to be ‘mother of IoT’. The system connected end-points (phones and modems), aggregated them via gateways (concentrators), provided the core control and connectivity through a ‘software-defined network’ (called Basic Call State Model back then), and then storied all these transactions in a database or a platform. As a former Systems Manager at GPT reminded me recently “PSTN is a paragon of the cyber-security world as it was initially designed on the assumption that it would be a closed trusted system”.
Even the mobile providers of today, whether 4G, 5G or 6G follow the same architecture and principles to deliver the communication services we use on a daily basis.
...and the hacking begins
Alas, it wasn’t a perfect world. There were vulnerabilities but the attack vector was relatively smaller than it is today, and in my opinion, due to limited connectivity of devices. Take for example the classic ‘2600Hz’ AT&T tricks, referred to as Phreaking, used to get free phone calls by effectively resetting the phone line.
Some individuals used this ‘hack’ in conjunction with social engineering, and the events behind it actually formed a book, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, which really highlights the ease of social engineering in cyber-crime. Social engineering is tethered to the ‘insider threat’ which remains the most significant risk for organisations today across infrastructure. In many instances, these risks can be designed out through focussed efforts on system design and systems proving, and of course, regression testing, which may be considered a lost art due to its perceived cost. It is however, this investment that underpins an organisation’s resilience.
The growing multiple attack vector problem
The attack vector space also increased significantly when the PSTN opened up to competition and third parties were allowed to interconnect through largely open and unguarded interfaces… hence all the problems with silent calls and so forth. The same issue is realised today when systems are built from multiple parties, which then require a ‘systems approach’ to provide resilience.
However, what was designed in at the core of GPT’s System-X product was resilience. And this was right at the code level with system checks being performed before the software took action - systems resilience at its best! Alas, sometimes with the ease applications are developed today, this aspect is forgotten. The resilient software development was the basis of System X and the PSTN, which is considered critical infrastructure, and this approach should be the same for any mission-critical system its deployed in, public or private.
Mark Roberts, government lead for cyber security at Capita suggests that “a key challenge today is the physical location of IoT sensors, which may not have the security robustness built in, and when cited in the field, lack the physical security that exists purely in the cyber world, such as being deployed in a “data-centre”. Default passwords, known vulnerabilities, firmware updates – these are all the hygiene factors we know about, and there should be no excuses for these issues, most are avoidable. The principle of the TPM approach (Trusted Platform Module) should proliferate across the supply chain”.
Multiple attack points across the supply chain with mixed approaches.
The security threat
Fast forward to today. There is still a need for design with fundamentals in place to secure the systems we build, and provide the resilience needed for both the solution and the organisation. Cyber security in IoT ecosystems is critical and systems resilience must be the building blocks for anything we do.
Specifically, for IoT, ‘outside threat’ is the core issue as these systems largely operate in the ‘cyber-physical’ world using sensors that can be tampered with. The IoT value chain shows all the constituent parts in an IoT ecosystem. It also highlights the attack vectors, many of which have open interfaces that increase the number of attack points that we need to protect and manage.
These days, attack vectors are literally limitless. The IoT value chain has a variety of stakeholders and suppliers and realistically this means a complicated supply chain that develops devices to open standards that are adopted by the manufacturer, many times in isolation, and thereby paving the way for vulnerabilities.
Roberts continues, “the current designs are nothing really new. Good approaches to security design are timeless, and we’ve gotten better over time with the introduction of various frameworks, risk management processes and overall good practice.”
Choosing the right framework for the project is paramount to success and requires the context to be taken into account. I often use the phrase that “if Carlsberg did IoT, then they would have done the SmartDCC”. This is because it is one of the biggest, most secure and visionary IoT projects in the world, getting near real-time energy usage across the UK to manage supply and demand, not to mention supporting the resilience of our Country’s infrastructure. Specifically, it was underpinned by ISO27001 (an information security standard) to adhere to an information security management system and uses PKI (Public Key Infrastructure) and AES (Advanced Encryption Standards), amongst other resources. In fact, the design of the trust model and Public Key Infrastructure aligns with the UK government’s National Cyber Security Centre requirements.
There will always be threats, and despite what you might hear, in practice there’s no such thing as a secure network. Various systems and technologies, such as IDS (Intrusion Detection Systems), are common practice today and while security technology exists, it’s more a matter of design, management and operation of the systems. In the example above on the SmartMetering project, an operations centre is an expected component to visualise and oversee the status of the system. (A compendium of technology and systems can be found on sites sans.org or isc2.org).
Securing the future, by securing the system
Fiction often precedes reality, and the most realistic TV show to feature the attack space for IoT has to be Mr Robot. In particular, the audacious BMS/HVAC (Buildings Management System / Heating, Ventilation, Air-Conditioning) attack scene in the 2015 episode eps1.4_3xpl0its.wmv. The reality is that these issues are now here, and the TV show highlights the direct and indirect attack space that we have to defend and mitigate against.
In taking a ‘secure by design’ approach, as mentioned with the SmartDCC Metering project, Capita has also taken the same approach in delivering the Congestion Charging and Low Emission Zones in London. The solution had to be capable of operating in real time, securely processing and storing data such as vehicle, location and customer payments to provide a robust and resilient system compliant with GDPR, whilst maintaining the core requirement of the five pillars of information security (Confidentiality, Integrity Availability, Non-repudiation and Authentication).
The principle design of IoT systems can be achieved through several reference frameworks (IIC, IoTAA, ISO etc), albeit this only provides the basis for the underlying design, not the subsequent systems proving, and should be applied to the relevant context/industry. With the advance of IoT we’re creating multiple PSTNs and each and every one needs to be robust.
In my opinion, the ‘secure by design’ approach needs to at the forefront of any IoT service provision. Anything less would leave the door open for Mr Robot and friends.
Paul Thomas
Capita Consulting
Paul is part of Capita consulting, covering a range of services associated with Smart Buildings, Data Centres, Critical Infrastructures and IoT (Internet of Things). With over 20 years of accumulated knowledge in telecoms, ICT, networking and security, Paul brings a more holistic approach to his role.
Mark Roberts
Capita Consulting, Partner – Defence and Cyber
Mark is a Partner in Capita’s Consulting business. He joined in January 2020 with specific responsibility for developing business for Capita Consulting in the Defence and Cyber Security markets.
