CIOs visualize an imminent IoT security storm

Roundtable Attendees:

Gareth Bridges - Business Manager, Security and Information Management,


Andy Bien - IT Director, Airport Authority Hong Kong

Praveen Kancharla - VP & Chief Engineer, GWB Infrastructure Solutions & Delivery,

Bank of America Merrill Lynch

Michael Leung-Chief Information & Operations Officer, China, CITIC Bank

International Ltd

Lawrence Lo - GM, Corporate Risk Management & Compliance, HKCSL

Christoph Ganswind t- Executive Director, Information Technology, Hong Kong

Jockey Club

Dale Johnstone - Senior System Manager (IT Security & Risk Management),

Hospital Authority

Dennis Lee - Head of IT Risk & Control, Asia, Nomura International (Hong


Ted Suen - Head of IT, MTRC

Mui Chee-Leong - VP & CTO, Asia Division, Manulife International Ltd

Jacqueline Teo - Head of IT Services, Telstra Global

Franky Tse - Assistant GM, Head of IT, Public Bank (HK)

If media reports and technology vendors are to be believed, then the world of artificial intelligence, smart cities, and a life of automated-everything is just around the corner. The surge of hype around the Internet of Things (IoT) has stolen the thunder of big data and cloud, the last two technology trends dominating headlines.

According to Gartner, there are 0.9 billion connected devices today, all communicating at some level of machine-to-machine connectivity. By 2020, Gartner predicts this will swell to 26 billion devices, including sensors in cars, homes, and the streets we walk and drive on.

The benefits are immense, but the flip side--according to Gareth Bridges, business manager, Security and Information Management, Symantec--are the unknown security threats brought by this massive sprawl of connected devices and sensors.

Bridges suggested that devices as diverse as TVs, vehicles, ATMs, health systems, and industrial control systems, could be open to attack in the near future as they become connected to the Internet and to each other.

Growing attack surface

These connected devices may pose a risk even without Net connectivity as the threats are not exclusive to Web-enabled devices. Recently, ex-politician Dick Cheney had the wireless capability on his pacemaker disabled as there were concerns that it could be hacked in an assassination attempt.

"We're seeing lots of things like this: attack vectors that didn't exist before, and now require serious thought," said Bridges. "As these things become more connected, you end up with a much greater attack surface."

One area where connected devices are on the rise is in healthcare. IoT promises a transformation of the healthcare delivery landscape as remote health-monitoring and automation of processes is accelerated by more connected devices.

Dale Johnstone, senior system manager (IT Security & Risk Management), Hospital Authority, said that Cheney's pacemaker incident drew attention, and supplemented a further challenge that health providers face, which is to maintain the integrity of devices and equipment within internal networks.

Tightening governance

Johnstone stressed that all medical equipment within the Hospital Authority is strictly managed and protected from external networks--everything is managed within the internal environment. Given the high risk nature of medical equipment, everything is tightly governed, and installing additional security on medical devices is very carefully considered as many devices are highly regulated and need to be balanced from a compliance perspective.

"From a security perspective and as a hospital authority, we're aware of the issues that IoT may bring," said Johnstone. "Currently, all devices we use are controlled within our own networks so exposure to the Web is limited."

Another industry that IoT is already affecting is transportation. At the Hong Kong Airport Authority, IoT is viewed as an opportunity to enable smart airport initiatives. Andy Bien, CIO at the Airport Authority, said that connected devices, objects and sensors will be used to inform management of real-time situations and performance in the airport.

"Besides the passengers and people we serve, we also want to track the movement and status of objects and equipment within the airport," said Bien.

The Airport Authority is already a world leader in the adoption of RFID for luggage-tracking and Bien predicts that by the time the planned Hong Kong Airport expansion is complete, technology advances will be key to enabling a more dynamic operation than the one he oversees today.

But on the security challenges of IoT, he believes the key issues are identity management and governance. "Technologies, devices, protocols and access methods change constantly, but to stay on top of security we must remain consistent in the management and governance of these changes," said Bien. "Establishing the proper standards and controls from the beginning is critical in enabling this new world of connected devices."

Identity and control

RFID-tagged baggage is currently used only at Hong Kong Airport, but Bien suggests that, in the near future, we might see permanent RFID tagging of bags--which could be further connected to a number of applications, such as frequent-flyer programs. The challenge in this scenario according to Bien: what standards are required to authenticate identity and control access?

Christoph Ganswindt, executive director of IT, Hong Kong Jockey Club, agreed that the standards issue hinders wider adoption of new technologies like RFID. He also raised the issue of data protection concerns when these higher levels of connectivity are finally enabled.

"Right now it's great for the Hong Kong Airport Authority to implement an RFID system to track baggage," he said, "but that's of no use when that bag arrives at another airport. There needs to be global standards for these use-cases to realize their potential value."

Ganswindt added that the industry has evolved greatly in making sensor technology like RFID more prevalent and standardized, but much more needs to be done to make IoT a reality.

The HKJC director gave the example of BMW, which has installed sensors and embedded SIM cards in their cars since 2002. In Germany, every BMW vehicle's embedded SIM allows the manufacturer to monitor the vehicle for speed, distance, location and other data, but this feature isn't activated in Hong Kong.

"The question: when this is activated [in Hong Kong], what will BMW do with the data?" said Ganswindt. "I bet insurance companies and the police will be interested in this information, but what about data privacy and data integrity?"

"This is a huge issue for the ongoing development of these technologies," he said. "As someone on the board of a company, I would be cautious--I'd ask questions like: 'Do I really need this device connecting to the Web, and is the risk greater than the benefit?'"

IoT multiplier effect

According to Mui Chee Leong at Manulife, the insurance industry views IoT as something that can deliver a better customer experience through more real-time interaction and processing of insurance services.

"Point of sales and payments are increasingly important for us within the insurance sector," he said, "and technologies that can further help us deliver straight-through processing are of great benefit to our distribution and our customers."

But once again, standards are a key stumbling block. "We don't want to be in a situation like Bitcoin, where there's no regulatory framework surrounding it and things just fall apart," said Mui.

He highlighted the current state of mobile diversity and the challenge in securing an environment with so many platforms and non-standard elements. "If we extrapolate this diversity and standards challenge to IoT, the problem is going be even more pronounced," said Mui.

Hardening security

Symantec's Bridges acknowledged these issues will not be solved anytime soon, and so far IoT and the security solutions based on these technologies is driven by specific vendors rather any standards bodies.

Symantec is actively working with industry bodies across various verticals to deploy additional security around connected devices. For example, aircraft manufacturers are evaluating additional tracking technology, PKI encryption and digital certificates across a range of devices and components to maintain integrity.

In banking and finance, hardening of ATM security is something Symantec is currently implementing with manufacturers.

"But perimeter hardening is only the first phase to improve security," said Bridges. "There are so many other ways to infiltrate that the traditional firewalls and network protection will not suffice--nowadays you're unlikely to be hacked through your firewall, it's more likely that a device within your network is compromised."

Jacqueline Teo, head of IT Services, Telstra Global, said that while there will be billions of connected devices and sensors in years to come, not every one will be a computing device. When assessing possible vulnerabilities, the prospect of billions of insecure endpoints is alarming, but Teo notes that sensors in pavements, parking meters, and roadsides clearly do not represent the same level of risk as a smartphone.

She added that understanding the appropriate level of risk is key to managing future threats. "To what extent do we secure all these risks? What security is appropriate at each of these endpoints?" said Teo.

Johnstone agreed that it all depends on the purpose of the end-device, and if it's simply an input device for relaying information, then the risk is probably low--depending on the sensitivity of the data.

"Clearly there's not one simple profile for devices," he said. "You need to look at the circumstances under which the device fits into the picture. With sensors, the most important thing may be the integrity of the data in the backend, or maybe the identity of that device."

"The point is not to crack a walnut with a sledgehammer. Don't apply security controls you don't need to," he said.

Johnstone was also keen to stress that industry bodies and standards organizations are well aware of IoT risks, and committees are actively addressing these security issues.

"It's easy to pick up on reports that nothing is being done to address IoT standards and security, but people are looking into this seriously," he said. "Just don't expect anything anytime soon as discussions are not mature at this stage, and getting international consensus on standards is challenging at best."

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkingsecurity

More about Bank of AmericaBMW Group AustraliaEMC CorporationGartnerIT SecurityMTRCNomura InternationalSymantecTechnologyTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Chee-Sing Chan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts