The omnipresence of the Internet ensures cost-effective and continually available connectivity for devices, systems and processes. The consumer and user data generated in this way are being recognized by more and more manufacturers as their own value and as the basis for new and profitable business ideas. Many users also consider it normal to exchange personal information for supposedly “free services”. If, however, security incidents occur, equipment manufacturers are now faced with the threat of drastic penalties, not to mention damage to their reputation. What advice should be given to manufacturers who want to avoid damage to the image of their organization or prevent a legal dispute? “Definitely monitor the threats and risks, and act accordingly,” say Nigel Stanley and Mark Coderre from TÜV Rheinland with conviction. The two cyber security experts present the current status quo regarding the IoT and cyber security, and provide strategic recommendations in order to avoid security vulnerabilities of IoT devices as far as possible.
The intelligent use of IoT devices and data recorded with these devices can improve our standard of living and manufacturing productivity. The numerous possibilities of big data analyses – during which data are examined specifically for useful information – are opening up new and exciting commercial opportunities. The basis for these new business models is the Internet of Things (IoT) (German: Internet der Dinge). More and more manufacturers are supplying products or services through which the advantages of the Internet and the World Wide Web can be used comprehensively.
Manufacturers of medical devices recognized at an early stage that the lives of patients and doctors can be improved by equipping devices with IoT functionality. Good examples of this include the large number of blood sugar measuring devices which are controlled by a smartphone and transmit data via the Internet. It is therefore slightly easier for the affected persons to cope with diabetes through mobility. t However, some manufacturers of medical devices adapted them to the IoT very prematurely without considering or solving the associated problems regarding cyber security. Vulnerabilities such as
- inadequate or erroneous software or firmware which does not address the sensitivity and integrity of medical data and/or functions,
- incorrectly configured network services with unencrypted transmission of patients’ data,
- security and data protection problems, e.g. use of weak passwords or excessive assignment of privileges to unauthorized users, which may be used as a gateway for hackers,
are just the tip of the iceberg. One of the best-known cases in the health care sector occurred in 2015. The Federal Drug Agency (FDA), the American federal authority for drugs and medical products, warned against Hospira’s Symbiq Infusion Systems at that time. An authorized third party could have brought the infusion pump under his control through the hospital network and changed the administered dose. Luckily, specific incidents were not known. However, the Symbiq Infusion System was taken off the market because other vulnerabilities had also arisen.
Another product also came to a quick end recently here in Germany: In 2017 a toy doll was banned on account of security concerns. The My Friend Cayla doll used language recognition technology via a service domiciled in the USA. The data from the audio recordings proved to be insecure and could, according to the end user license agreement, be forwarded to third parties. The product was removed from the market in accordance with the Espionage Act, an American federal law. In another incident two million voice recordings of children, which were made by CloudPet cuddly toys, could be temporarily accessed by anyone online due to an insecure database.
Needless to say, all cases involved at least business-critical damage to the company’s image. What advice should be given to organizations wanting to avoid such cases? One of the first steps is integration of the IoT cyber risk in the organization’s risk register and performance of a DICE assessment for all planned products and services. DICE is an inherent risk assessment approach, developed by TÜV Rheinland, which stands for ‘’Dependancy‘‘ (Abhängigkeit), ‘’Impact ‘‘ (Auswirkungen), ‘’Complexity“ (Komplexität) and ‘’Ecosystem ‘‘ (Ökosystem). According to the DICE criteria, the decisive factor in assessing a system, a process or a device is that suitable and cost-effective risk management measures are implemented. All products and services should be subjected to a DICE assessment, i.e. based on a strategic plan. Qualification of when security becomes an important or critical factor for end consumers and a company’s own brand is certainly vital.
Tests and certification of IoT services can also provide qualified proof that manufacturers are safely protecting their customers’ personal data and are processing these data transparently for their customers. TÜV Rheinland, for example, offers a product certificate and a service certificate through which product manufacturers and service providers can show that their offer was tested in accordance with the provisions of the European General Data Protection Regulation (EU-GDPR). During the IoT tests TÜV Rheinland evaluates, for example, the extent to which processes and measures are implemented in order to prevent security incidents and react accordingly if necessary.
Compliance alone does not keep your products safe. Only when manufacturers monitor the threats and risks associated with cyber security and draw corresponding consequences can they concentrate on their product innovations – in the certainty of having implemented all the necessary measures which also really take account of dynamic development. TÜV Rheinland’s White Paper entitled “The Challenge of IoT“ contains more information on the DICE system and a checklist showing the most important recommendations for manufacturers regarding cyber security of IoT devices. This White Paper can be downloaded here.
Der Autor: Nigel Stanley ist Fachexperte für Informationssicherheit, Cyber-Sicherheit und Risikomanagement bei TÜV Rheinland und verfügt über mehr als 25 Jahre Erfahrung in der IT-Branche. Er ist ein anerkannter Vordenker und sachverständiger Experte, der bereits komplexe Projekte im Bereich Cyber-Sicherheit für kleine und mittlere Unternehmen sowie Großkonzerne durchgeführt hat. Er verfügt über umfassende Kenntnisse im Bereich Cyber-Sicherheit, Informationssicherheit, Risikomanagement, Maßnahmen bei Datenschutzverletzungen, Digitale Forensik, Notfallmanagement, Cyber-Kriegsführung, Cyber-Terrorismus, Sicherheit von Mobilgeräten, BYOD, Sicherheit von Smartphones, Anwendungsentwicklung, Softwareentwicklung, Systemtechnik, Supervisory Control and Data Acquisition (SCADA) und industrielle Steuerungssysteme. Nigel Stanley ist Diplom-Ingenieur und Mitglied der Institution of Engineering and Technology (IET), wo er im Lenkungsausschuss für Cyber-Sicherheit sitzt. Außerdem ist er Mitglied des Institute of Electrical and Electronic Engineers und der British Computer Society. Er verfügt über einen MSc im Bereich Informationssicherheit von der Royal Holloway, University of London, wo er für seine MSc-Dissertation mit dem Royal Holloway University Smart Card Centre Crisp Telecom-Preis ausgezeichnet wurde.
Der Autor: Mark Coderre ist ein Top-Manager mit mehr als 25 Jahren Erfahrung in der Implementierung von Cyber Security im Gesundheits- und Versicherungswesen. Er arbeitet als National Practice Director bei TÜV Rheinland mit Schwerpunkt CISO-Beratung, Identitätsmanagement im Gesundheitswesen sowie Governance Risk & Compliance (GRC) Management. In der vorherigen Position bei Aetna in Hartford/Conneticut war Mark Coderre als geschäftsführender Direktor für Sicherheitsstrategie und Risikomanagement tätig. Sein Ansatz in der Informationssicherheit ist zukunftsorientiert und zugleich pragmatisch, was sich in seinem fachlichen Hintergrund in puncto Sicherheitstechnik und Unternehmensarchitektur begründet. Mark Coderre hatte vor kurzem eine Führungsrolle bei der Adaption von Best Practices aus dem Finanzsektor ins Gesundheitswesen, mit dem er ein Programm von internationaler Bedeutung etabliert hat. Mark Coderre genießt branchenweit hohe Anerkennung. Unter anderem wurde er mit dem 2013 CSO Magazine Award for International Governance, Risk & Compliance, dem 2014 RSA/Archer Operational Risk Management Award sowie dem Liberty Alliance Federated Identity Deployment of the Year Award ausgezeichnet.