The expanding Internet of Things not only offers consumers and businesses ease of use and growth opportunities, but it also poses security risks that should be taken very seriously. Marc Witteman, CEO of security company Riscure, will attend the D&E Event delve deeper into the topic of IoT Security.
By: Dimitri Reijerman
In June 2017, two container terminals in the port of Rotterdam were hit by NotPetya, an extremely aggressive ransomware for Windows systems. It took weeks for APM Terminals to get its systems running again, after suffering damage believed to amount to hundreds of million euros. Witteman: “The Ransomware phenomenon is quite annoying. We see what impact this can have on the economy. Imagine if this also happens to your phone, your electric car or thermostat. If you imagine this, you come to the conclusion that such cyber attacks pose a threat not only to the individual, but also to society.”
It is clear: malicious software, such as ransomware, can seriously disrupt an entire society or industry. Moreover, cyber attacks can in principle be carried out by anyone with a little bit of expertise. “It goes a step further because it is not only used by criminals for financial gain. There are also possible nation states behind,” says Witteman. “Consider the influence of the elections in the US by countries such as Russia and China. With electronic warfare you could shut down an opponent's fleet. The security of all kinds of devices is becoming increasingly important as these devices are increasingly in use.”
Wait and see attitude
According to Witteman, despite the increasing number of incidents, many parties are still leaning too far back: “We think there is too little attention to security. Initially from the consumer. She doesn't ask for it, that's where it starts. The manufacturers are also not interested in investing a lot of money in this, because security apparently does not sell well. Politicians are not yet so concerned that they actually want to enforce better security quality.”
Witteman draws a comparison with the car industry in terms of regulation: “If you look at cars, there is traditionally a lot of attention to safety. This attention is given by both manufacturers and the legislator. The legislator requires that you have seat belts and an airbag, and in that sense the legislator is cooperating. The car manufacturer also sees the benefits. A company like Volvo, which always advertises safety, sees that consumers benefit from safety.”
In Witteman's view, the software and hardware market could be regulated in a similar way. “The legislature has a role here to protect society,” said Riscure's CEO.
Complex problem
But there are more aspects to the security of IoT equipment: “There is also a technical component to it,” says Witteman. “Electronics are becoming more and more powerful. And it also has an economic aspect, memory chips are becoming cheaper. This complexity also has a downside. It is much more difficult to determine whether software is secure as the size of software code has grown and become more complex. Ten years ago we could evaluate the security of a device in a month, but today that would take much more time. And many manufacturers simply don't have that time.”
Riscure, which works for large tech companies, among others, also certifies software. “Devices must be certified. More and more often there is a discussion between government and manufacturers about which standards should apply. The government will have to adapt its requirements to the wishes of the industry, but this could result in a paper tiger. I am therefore not yet convinced that the government will be effective in combating that risk.”
“What can you do? Stimulate more research into a better level of safety without enormously increasing costs. The government could stimulate that research.” Witteman envisions a future in which artificial intelligence can be used to perform automatic checks on software.
In conclusion, Witteman states that he has two messages for his audience at the D&E Event: “One: there is something on the horizon that will help us. But that is not yet available to everyone. And two: more awareness is also needed. This can be done by training people to avoid the biggest pitfalls. There is still too little attention, especially among smaller companies, they do not want to pay for it.”
Marc Witteman speaks during the Design Automation & Embedded Systems Event on November 7 and 8 in Mechelen and Eindhoven respectively. You can watch the D&E Event registration for free visits.
Nederlands