Government, industry, system operators and the engineering profession must act together in a coordinated way to improve cyber safety and ensure that the Internet of Things develops in a secure and trusted way, according to two new reports published today by the Royal Academy of Engineering and the PETRAS Internet of Things research hub.
The reports together cover the Internet of Things and other digitally connected systems such as industrial control systems and building management systems. They highlight that digital technologies have a huge variety of applications from industry-level uses like electricity generation plant, to consumer applications such as fitness devices and smart home hubs, and that the integration of physical and digital systems creates many opportunities to realise economic, social and environmental benefits across business and society.
The reports also warn, however, that digitally connected systems need to be designed with safety and resilience in mind to minimise future risk. They could be vulnerable both to cyberattacks and non-malicious events such as natural hazards or the failure of components and the impact can be increased where systems are interdependent. Cyberattacks on connected health devices are of increasing concern as they could have severe consequences on patient safety. Ever greater numbers of health devices have been identified as being potentially at risk, including pacemakers and MRI scanners. The working group held a workshop with health agencies, manufacturers and government security advisors to discuss how best to address these issues.
As the number of IoT devices increases in homes, workplaces and public spaces, the studies consider the potential for more aspects of people’s lives to be observed. IoT devices can violate norms of private space - for IoT systems that control or process personal data, there may also be privacy threats from data sharing.
The reports recommend that the evolving nature of the challenges will require continual responsiveness and agility by government, regulators, organisations and their supply chains. While they conclude that there is no silver bullet for improving cybersecurity and resilience, they call on organisations to demand that products are ‘secure by default’, and recommend a number of measures, including:
Mandatory risk management procedures should be considered for critical infrastructure, aligned to industry standards. These should set out guiding principles for cyber risk management during design, operation and maintenance.
Supply chain transparency - cybersecurity policies should require that there is transparency throughout the supply chain about the level of cybersecurity provided in products and services.
International ‘umbrella agreements’ on IoT - the UK government should work with other governments and international institutions – with the main providers of IoT components, devices and systems – towards ‘umbrella agreements’ that set out an international baseline for IoT data integrity and security for all parties to adopt.
Ethical frameworks that are appropriate to support ethical behaviours on IoT should be developed and applied to help minimise risks to society.
The reports also highlight that the UK in a strong position to lead the development of appropriate international standards and regulation, as a result of its world-class expertise in cybersecurity, safety-critical systems, software engineering, hardware security, artificial intelligence and social sciences.
Professor Nick Jennings CB FREng, Vice Provost at Imperial College London and lead author of Cyber safety and resilience: strengthening the digital systems that support the modern economy, says:
“Connected systems underpin improved services, drive innovation, create wealth and help to tackle some of the most pressing social and environmental challenges.
“The reports we are publishing today identify some of the measures needed to strengthen the safety and resilience of all connected systems, particularly the critical infrastructure on which much of our society now depends. We cannot totally avoid failures or attacks, but we can design systems that are highly resilient and will recover quickly.”
Paul Taylor FREng, UK Lead Partner - Cyber Security at KPMG and lead author of Internet of Things: realising the potential of a trusted smart world, says:
“There is no going back on the Internet of Things, it is here to stay and offers many new capabilities. We should embrace it with a strategy that goes beyond IoT towards the ‘Internet of Everything’, with a greater focus on people, data and processes.
“Government needs to consider whether existing regulation is fit-for-purpose and how IoT interacts with new EU regulation such as the NIS Directive (security of Network and Information systems) or GDPR where IoT processes or controls personal data.”
Both reports identify the importance of digital skills. They call on government to ensure that current reforms to post-16 education, such as T levels and new apprenticeships standards, include appropriate levels of skills development for end-users who will implement IoT in the workplace. Investment in design and technology education, as a subject that provides excellent opportunities for young people to understand the interfaces between physical and digital systems as well as practical opportunities to apply this, is also recommended, following the example of recent investment in computer science in schools.
Professor Rachel Cooper OBE, Adoption and Acceptability theme lead at the PETRAS IoT Research Hub, and Distinguished Professor of Design Management and Policy at Lancaster University, says:
“It is vital that we improve the level of technical and data literacy and skills to enable the public to become involved in reinforcing security in data and the Internet of Things. Ethical development of these emerging technologies is a collective responsibility for the whole of society, not just for those who are developing them.”
Notes for Editors
1. Cyber safety and resilience: strengthening the digital systems that support the modern economy
is published by the Royal Academy of Engineering, compiled by a group of expert Academy Fellows, chaired by Prof Nick Jennings CB FREng, Vice Provost and Professor of Artificial Intelligence at Imperial College London.
Report: Cyber safety and resilience (2.27 MB)
Internet of Things: realising the potential of a trusted smart world
is published by the PETRAS Cybersecurity of the Internet of Things Research Hub and the Royal Academy of Engineering, and was compiled by a group of experts from PETRAS and the Academy, chaired by Paul Taylor FREng, UK Lead Partner - Cyber Security at KPMG.
Report: Internet of things (2.28 MB)
2. The PETRAS Cybersecurity of the Internet of Things Research Hub
is funded by the Engineering and Physical Sciences Research Council (EPSRC) to explore critical issues of Privacy, Ethics, Trust, Reliability, Acceptability, and Security (PETRAS) relating to the Internet of Things (IoT). The Hub brings together nine leading UK universities, (University of Warwick, University of Oxford, Lancaster University, University of Surrey, University College London, University of Edinburgh, University of Southampton, Imperial College London, and Cardiff University)
As part of the Government-funded IoT UK research and innovation programme, the Hub is receiving £9.8m funding from the Engineering and Physical Sciences Research Council (EPSRC), which is match funded by £14m and participation from over 120 academic, industrial and public- sector partners. The hub was announced on the 6th January 2016.
The hub looks at both social and technological issues, bringing together research leaders, industry, the public and voluntary sectors. In bringing together this community, the research hub is able to gain a thorough understanding of PETRAS issues in terms of the needs and potentially conflicting interests of government, industry and academia. This enables the hub to be a leader in the development and innovation of IoT, and an authority and influencing voice in the cybersecurity of IoT.
www.petrashub.org | @PETRASiot
3. Royal Academy of Engineering. As the UK’s national academy for engineering, we bring together the most successful and talented engineers for a shared purpose: to advance and promote excellence in engineering. We provide analysis and policy support to promote the UK’s role as a great place to do business. We take a lead on engineering education and we invest in the UK’s world-class research base to underpin innovation. We work to improve public awareness and understanding of engineering. We are a national academy with a global outlook.
www.raeng.org.uk | @RAEngNews
We have four strategic challenges:
- Make the UK the leading nation for engineering innovation
- Address the engineering skills crisis
- Position engineering at the heart of society
- Lead the profession
For more information please contact:
Jane Sutton at the Royal Academy of Engineering
T: 020 7766 0636;
E: Jane Sutton