Security by design vital to protecting IoT, smart cities around the world, says CEO of UK NCSC

A secure by design approach is vital to protecting the internet of things (IoT) and smart cities, according to Lindy Cameron, CEO of the UK National Cyber Security Centre (NCSC). Cameron spoke during Singapore International Cyber Week, calling for swift ongoing action to ensure connected devices are designed, built, deployed, and managed securely to prevent malicious actors, improve national resilience, and reap the benefits of emerging technologies.

Growth of IoT giving rise to increased security threats

The scale of consumer-, enterprise-, and city-level IoT has exploded in the last decade, Cameron said, and the magnitude of changes coupled with growing dependency on connected technology has introduced significant security risks. “That is why now is the time to make sure we’re designing and building them properly,” she added. “We all know that connected places are an evolving ecosystem, comprising a range of systems that exchange, process and store sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors. The threat posed by nation states is particularly acute.”

Some countries will seek to obtain sensitive commercial and personal data from other nations, including from the UK, while countries may also seek to influence a supplier or cause disruption to overseas services, Cameron said. “Suppliers that are part of corporate groups based in these countries may be subject to influence from the host government to access and exfiltrate data from connected places, in support of that government’s security and intelligence services.” Such suppliers may also be used as vectors for attempts to take down essential services overseas, causing possible destructive impact and endangering local citizens if systems were switched off, she said.

Standards, legislation are key to securing IoT, smart cities

Workable international standards hold the key to shepherding connected technology towards a more secure future, Cameron said, citing the UK Product Security and Telecommunications Infrastructure Bill – currently working its way through the UK Parliament – which seeks to enshrine secure by design principles in law. The bill places new cybersecurity standards on manufacturers, importers, and distributors of internet-connectable devices, along with ensuring the security of connected devices on the market. The guidelines, combined with the availability of new international IoT standards, make legislation much simpler to put in place and for industry to follow, Cameron said. “However, if they are going to have effect then we need the commitment of governments and manufacturers around the world to enforce these standards. That’s why we’ve not just focused on the UK – we’ve worked with others to take a similar approach that shapes the market for this tech.”

Collaboration, cooperation, and the ability to learn from each other, while reflecting our own cultures and values in our use of technology, will all help to keep everyone safer and more secure, she said. “There’s no point in hoping this problem will go away. Without swift, decisive, and ongoing action, it will only get harder – and more expensive – to break nations of their dependence on insecure connected devices. We make faster progress and produce longer lasting results together.”