Internet of Things (IoT) ecosystems are underpinning more and more services across the UK.
They have their place across the public sector and our critical infrastructure, supporting the efficiency and resilience of the country in delivering vital services. Before we look at cyber security in an IoT context, it’s worth recounting how we arrived in a connected world.
The history bit
The forerunner to IoT is really the PSTN (Public Switched Telephone Network). It is one of those great inventions that led to subsequent innovation and provided several tipping points of economic growth and prosperity around the world. The same is looking to be true for IoT.
British Telecom (BT) and its supply chain have been a leader in this area. If I recall from my time as an apprentice at GPT, a leading manufacturer of Carrier-Grade telephony systems at that time, the software control and developments took ~6000 man-years of cumulative development hours across 1976 to 1981. Clearly a significant amount of time (and effort!), especially noting the tools and methods back then seem archaic compared to the ‘no-code’ artificial intelligence toolsets of today.
BT at one time also boasted the largest database in the world, storing CDRs (Call Detail Records). This is the ‘data monetisation’ organisations seek today, and also why the PSTN is the seen to be ‘mother of IoT’. The system connected end-points (phones and modems), aggregated them via gateways (concentrators), provided the core control and connectivity through a ‘software-defined network’ (called Basic Call State Model back then), and then storied all these transactions in a database or a platform. As a former Systems Manager at GPT reminded me recently “PSTN is a paragon of the cyber-security world as it was initially designed on the assumption that it would be a closed trusted system”.
Even the mobile providers of today, whether 4G, 5G or 6G follow the same architecture and principles to deliver the communication services we use on a daily basis.
...and the hacking begins
Alas, it wasn’t a perfect world. There were vulnerabilities but the attack vector was relatively smaller than it is today, and in my opinion, due to limited connectivity of devices. Take for example the classic ‘2600Hz’ AT&T tricks, referred to as Phreaking, used to get free phone calls by effectively resetting the phone line.
Some individuals used this ‘hack’ in conjunction with social engineering, and the events behind it actually formed a book, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, which really highlights the ease of social engineering in cyber-crime. Social engineering is tethered to the ‘insider threat’ which remains the most significant risk for organisations today across infrastructure. In many instances, these risks can be designed out through focussed efforts on system design and systems proving, and of course, regression testing, which may be considered a lost art due to its perceived cost. It is however, this investment that underpins an organisation’s resilience.
The growing multiple attack vector problem
The attack vector space also increased significantly when the PSTN opened up to competition and third parties were allowed to interconnect through largely open and unguarded interfaces… hence all the problems with silent calls and so forth. The same issue is realised today when systems are built from multiple parties, which then require a ‘systems approach’ to provide resilience.
However, what was designed in at the core of GPT’s System-X product was resilience. And this was right at the code level with system checks being performed before the software took action - systems resilience at its best! Alas, sometimes with the ease applications are developed today, this aspect is forgotten. The resilient software development was the basis of System X and the PSTN, which is considered critical infrastructure, and this approach should be the same for any mission-critical system its deployed in, public or private.
Mark Roberts, government lead for cyber security at Capita suggests that “a key challenge today is the physical location of IoT sensors, which may not have the security robustness built in, and when cited in the field, lack the physical security that exists purely in the cyber world, such as being deployed in a “data-centre”. Default passwords, known vulnerabilities, firmware updates – these are all the hygiene factors we know about, and there should be no excuses for these issues, most are avoidable. The principle of the TPM approach (Trusted Platform Module) should proliferate across the supply chain”.