Various companies are trying to transform their business with the recent concept of the IoT (Internet of Things), which connects everything via the internet. However, in reality, connecting things to the internet raises security concerns, such as the theft of information or the sabotage of IoT devices. We asked Masafumi Yamaguchi at the Strategy Consulting Services Department of NRI Secure Technologies about how we should view IoT security.
Comprehensive security is important
——Why is demand for IoT security increasing?
At conventional manufacturing sites, closed networks were used to perform production management, etc. However, now companies are switching to environments that use open networks such as the internet in order to visualize data, etc., and this has led to increasing concerns about security. Of all industries, the automobile industry has made the most progress regarding IoT security. Due to the trend for connected cars, manufacturers and suppliers are adopting measures to increase the security of things. Furthermore, industries that provide important infrastructure such as electricity, gas, water, and public transportation are being told by the government to enhance their security and are implementing corresponding initiatives.
——What do you think is important when thinking about IoT security?
With IoT security, it is important to protect not only individual devices but also the networks (such as gateways) that collect and transmit device information, and the systems (such as cloud systems) that process that information. It is also important to consider security from an overall perspective that includes not only the end-point IoT devices (such as automobile devices, household appliances, and security cameras) but also the control systems and infrastructure at the plants that develop devices. For example, in cases where data collected by devices is analyzed using big data technology on the cloud, attacks cannot be stopped simply by protecting the devices. This is because attacks can target the cloud and lead to information leaks or unauthorized attacks against devices based on the obtained information. Furthermore, if the security of the control systems at plants that produce devices are not sufficiently protected, not only can the production line be stopped by attacks, but there is also a risk that malware will be injected into the devices that are produced. These risks cannot be avoided by only focusing on protecting the end-point devices.
Including safety in the concept of "CIA" security
——How does IoT security differ from IT security?
In the security world, we have a concept called "CIA." This stands for confidentiality, integrity, and availability, but with IoT security we also need to include the perspective of safety. Safety at manufacturing plants has been standardized by ISO and IEC, but the perspective of security was missing from such standards. For example, until recent years it was unimaginable that a cyber attack could cause devices to run amok and threaten human life. However, evolving methods of attack are giving rise to threats not covered by existing national and international standards. That is why we provide consulting that emphasizes safety in addition to confidentiality, integrity, and availability.
——What is your advice to companies that want to enhance their IoT security?
First of all, they need to watch IoT trends both inside and outside Japan. There are already several guidelines regarding IoT security in Japan and consortiums, etc., are being created overseas to formulate guidelines. I think it is important to keep an eye on such trends to ensure that the company does not fall behind the times. It can also be effective to participate in communities in the industry to collect and share information. An organization for sharing security information is called an ISAC (Information Sharing and Analysis Center) and there is already a financial ISAC for sharing information between financial institutions, and even an Auto-ISAC for doing the same for IoT, etc., in the automobile industry. I believe that it is important to use such communities to understand competitor trends and how much one's own company has achieved, and then think about suitable security measures based on that information.
Creating a society where the required devices and services can be used without a second thought
——NRI Secure Technologies provides IoT security consulting services. What are the features of such services?
We offer three main services; consulting about what kind of security measures need to be implemented, diagnosis relating to the implementation of the control devices and embedded devices used in the IoT or the actual things that are manufactured, and assistance for executing the promotion of security measures. In addition to a consulting team, NRI Secure Technologies has a technical team that provides security solutions, security operation services (for security device operation and log monitoring, etc.), diagnosis, and implementation. These teams work together to provide customers with the security measures they require. NRI Secure Technologies also cooperates with GE Digital to diagnose IoT devices and provide services for certification.
——In conclusion, please tell us your thoughts about security.
Security is something that is usually invisible. It is normal for incidents to not occur, and when one does there is big trouble. We have been involved in the security business for a long time. Our goal is to support a society that allows people to live with peace-of-mind, and I believe that we have a duty to provide services to achieve this. As I mentioned today, the field of security is expanding in scope; from IT to OT (Operational Technology), and now IoT. We are living in a time where the things we use in our daily lives are subject to threats. I want to create a society where the required devices and services can be used without thinking, and without being afraid of cyber attacks.
Nomura Research Institute, Ltd.
Corporate Communications Department