Treasury and the Service Propose Regulations on Cloud and Digital Content Transactions

Introduction

The Internet of Things (“IoT“) has a strong presence in modern business and in daily life. It connects the physical environment with a wide range of devices to allow for interaction through information and communication systems. Such devices include connected wearables, smart buildings, video surveillance and analytics.

However, greater connection between devices brings greater risk of cyber security threats, especially with the increasing adoption of IoT solutions among consumers, businesses and governments. Personal or commercially sensitive information can potentially be accessed through vulnerabilities in IoT devices, and compromised devices can be subject to unauthorised control. Protection from such threats is therefore a national priority.

To address this vital issue, on 13 March 2020, the Infocomm Media Development Authority (“IMDA“) launched a new IoT Cyber Security Guide (“Guide“). The Guide was developed by IMDA after taking in comments from IMDA’s public consultation in January 2019, and in consultation with the Cyber Security Agency of Singapore (“CSA“).

The Guide aims to offer enterprise users better guidance on procuring, deploying and operating IoT technology, while enabling solution providers to verify the security posture of their solutions. It provides baseline security recommendations for the implementation phase and the operational phase as well as checklists for the threat modelling process and for self-disclosure by enterprise solution vendors.

This Update highlights the key features of the Guide.

Scope of the Guide

The Guide is directed at assisting enterprise users and their vendors that intend to deploy IoT solutions, and is applicable to:

  1. IoT developers who want to design, develop and deploy secure IoT products and systems;
  2. IoT providers who need to roll-out, configure, operate, maintain and de-commission IoT systems securely; and
  3. IoT users who want to procure and interact with IoT systems.

Baseline Recommendations for the Implementation Phase

The implementation phase of IoT systems covers the design, develop, deploy, integrate and test stages, and usually involves the IoT developers and users.

The Guide provides practical baseline security recommendations for the implementation phase based on four fundamental IoT security design principles:

(a)Principle 1: Secure by defaults

  1. Employ strong cryptography: Industry accepted cryptographic techniques and best practices (such as the use of approved algorithms, sufficient key length and use of updatable cryptography) should be applied appropriately and adequately to the IoT system to ensure the security of data transactions.
  2. Protect impactful data: Impactful data such as keys, credentials, codes/firmware, personal data, inputs/commands and sensing data should be checked for authenticity and protected from disclosure and modifications by unauthorised parties.

(b)Principle 2: Rigour in defence

  1. Conduct threat modelling: Threat modelling should be conducted at the start of the implementation phase, and should account for the intended usage of IoT devices within the defined operating environments. Threat modelling helps to identify the system assets, the security needs of the system assets and the possible threats to them. To facilitate this, a threat modelling checklist is provided in the Guide.
  2. Establish Root-of-Trust: Root-of-Trust provides a tamper protected module that stores and protects the keys of the devices, and should be utilised by key system components that may host sensitive data and execute impactful operations, such as IoT gateways and IoT platforms.
  3. Employ secure transport protocols: Proven transport protocols, which are used to transfer data within and between systems, should be employed with security controls properly activated, wherever possible.

(c)Principle 3: Accountability

  1. Enforce proper access controls: Access to system resources should be controlled and managed throughout its lifecycles, minimising opportunities for malicious actors. Default passwords and weak passwords are the most commonly exploited vulnerabilities. Proper access controls, both cyber and physical, for devices, networks and data should be enforced.
  2. Provide audit trails: All attempts to access sensitive data and alter system resources should be properly monitored and logged so as to keep track of intentional misuse, bypassing of restrictions and misconfigurations.

(d)Principle 4: Resiliency

  1. Guard against resource exhaustion: IoT systems are vulnerable to resource exhaustion attacks. Mechanisms should be employed to protect against malicious attacks such as Distributed Denial-of-Service.

Baseline Recommendations for the Operational Phase

The operational phase of IoT systems covers the operate, support, maintain, upgrade and retire stages, and usually involves IoT providers and IoT users.

The Guide also provides baseline security recommendations for the operational phase based on the same four security design principles:

(a)Principle 1: Secure by defaults

  1. Use strong credentials: Strong passwords should be used throughout the system, and password complexity should adhere to the published international best practices. Minimally, passwords should consist of eight or more characters comprising a combination of letters and numbers. Multi-factor authentication should be enabled, whenever possible, for access to impactful data and operations.

(b)Principle 2: Rigour in defence

  1. Segment IoT and enterprise networks: IoT devices belonging to different networks should be properly segmented from one another and also from other corporate enterprise systems and networks. Firewalls and malware mitigation solutions should be implemented.

(c)Principle 3: Accountability

  1. Establish proper device management: Proper management of devices, such as firmware/software updates and patches, should be established. This includes having an inventory of connected devices, software and firmware versions, as well as applying up-to-date patches and strictly-enforced access controls. IoT users and IoT providers should also subscribe to IMDA’s ISG-CERT and CSA’ SINGCERT to stay informed of newly discovered vulnerabilities and threats to IoT and ICT systems.

(d)Principle 4: Resiliency

  1. Recover from attacks: There should be adequate preparation to fail safely and recover from attacks, especially when the compromise of the system can affect the safety of humans or facilities. Regular backups of system data and regular disaster recovery exercises for systems should be conducted.
  2. Conduct periodic assessments: Penetration testing and/or vulnerability assessments of the IoT system should be conducted periodically. Threat modelling should be conducted as part of vulnerability assessments.

Checklists

The Guide provides two sets of checklists for users and vendors.

The first is a threat modelling checklist, which has been mentioned above. This checklist can be used to guide the threat modelling process and ensure that it is conducted properly and systematically. It uses the STRIDE model (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) to help analyse and find threats to the system.

The second is a vendor disclosure checklist which provides a non-exhaustive list of security questions that enterprise solution vendors can use for self-disclosure. It identifies the possible important security capabilities/services that vendors should focus on and also allows users to better evaluate and compare the security aspects of the IoT solutions/systems proposed by different vendors.

Concluding Words

While businesses are increasingly utilising IoT systems and devices to improve business efficiency and productivity, this also exposes them to more cyber security threats. Enterprises adopting IoT solutions should thus take cyber security into consideration at an early stage of their deployment (including vendor selection and network design) so as to to better protect their businesses from threats and vulnerabilities. As highlighted in the Guide, an IoT system is only as secure as its weakest link.

The Guide provides a helpful and structured overview of the cyber security threats that may be encountered at different stages and the security measures that businesses should consider implementing in order to fend off such threats, enabling organisations to navigate the design and use of IoT in a more secured way.

(Excerpt) Read more Here | 2020-05-11 20:34:02
Image credit: source

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.