Engineers call on UK government to improve cyber-security measures

Government, industry, system operators and the engineering profession are being called upon to improve cyber-security and develop the internet of things in a secure and trusted way.

Two new reports, published by the Royal Academy of Engineering and the PETRAS Internet of Things research hub, regard the steps that need to be taken to ensure the safety of connected devices and the internet of things (IoT).

The reports highlight the risk of cyber-attacks on connected health devices, which are of increasing concern due to the severe consequences on patient safety. Devices such as pacemakers and MRI scanners have been identified as being at risk to cyber-attacks, which could cause harm to patients. A workshop with health agencies, manufacturers and government security advisors was held to discuss how best to address these issues.

The increase in IoT devices means that there are issues of data privacy from systems sharing or controlling personal information.

The two reports recommend that digitally connected systems be designed with safety and resilience in mind and that products are ‘secure by default’. Both groups also highlight that government, regulators, organisations and suppliers will need to be constantly responding to the evolving nature of connected devices and IoT.

The reports recommend that cyber-security policies should require transparency throughout the supply chain about the level of cyber-security provided in products and services.

The UK government is also recommended to work with other governments and international organisations on ‘umbrella agreements’ that set out an international baseline for IoT data.

The reports also call on things such as ethical frameworks to be developed and for mandatory risk management procedures to be considered for critical infrastructure.

The UK is highlighted as being in a strong position to lead the development of appropriate international standards and regulation, due to its expertise in cyber-security, safety-critical systems, software engineering, hardware security, artificial intelligence and social sciences.

Professor Nick Jennings, vice provost at Imperial College London and lead author of Cyber safety and resilience: strengthening the digital systems that support the modern economy, said:

“Connected systems underpin improved services, drive innovation, create wealth and help to tackle some of the most pressing social and environmental challenges.

“The reports we are publishing today identify some of the measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure on which much of our society now depends. We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly.”

Paul Taylor, UK lead partner – Cyber Security at KPMG and lead author of Internet of Things: realising the potential of a trusted smart world, said:

“There is no going back on the Internet of Things, it is here to stay and offers many new capabilities. We should embrace it with a strategy that goes beyond IoT towards the ‘Internet of Everything’, with a greater focus on people, data and processes.

“Government needs to consider whether existing regulation is fit-for-purpose and how IoT interacts with new EU regulation such as the NIS Directive (security of Network and Information systems) or GDPR where IoT processes or controls personal data.”

The reports also place an importance on digital skills and call on government to ensure that current reforms to post-16 education include appropriate levels of skills development for end-users who will implement IoT in the workplace.

Commenting on this, Amir Abramovitch, security researcher at cyber-security firm, Cy-OT, said “We know that a lot of Internet of Things (IoT) devices are insecure, and healthcare devices are no exception. In the last couple of years we have seen multiple vulnerabilities published for a variety of medical IoT devices. The main problem is that the worst-case scenario here is not data theft or malware infection, but death, and the scariest part is that some of these attacks can even happen remotely, where the attacker does not need to gain physical access to the device.

“The vulnerabilities span from simple vulnerabilities such as insecure storage of the Wi-Fi password and hard-coded secret credentials for remote maintenance, to more severe vulnerabilities such as communication interception (e.g. changing the dosage of a drug) and full-on denial-of-service (e.g. making the device stop functioning at all).

“This poses a threat, not only to corporate businesses, but to human life. The good news is that there are possible mitigations for these attacks, and they are quite easy to implement. The problem is that the companies making these devices do not understand the security implications of their poor design, and I hope they will learn it before it is too late.”