As the IoT technology advances, we start to wonder if the security around the technology is sufficient enough. The time has come to assume that people with somewhat accessibility to IoT devices now know how it should have stronger security than ICT security as it can directly affect and control the devices and cause actual and physical damages when exploited.
Autonomous Security and Regulative Security
Simply put, there are basically 4 areas that need security in the IoT space: 1) smart home, 2) smart factory, 3) smart car, and 4) smart energy grid.
1) and 2) tend to have the nature of being autonomous. Users can decide whether they need IoT implementations and if they do, they get to make their own decision of whether their implementations need security applications or not. In terms of factories, it is critical to apply security for the sole reason of safety, however, a lot of the factories haven’t even applied the existing ICT security as we know it.
This is when autonomous security slowly sprawls in a form of crisis management. Crisis management in the context of IoT security most likely explains why security, in any sort, is applied only after an incident occurs. This is just like how personal computers are secured nowadays, hence most of the IoT security companies are setting their minds to this method. It’s easier and more convenient, as it resembles the ICT security application method rather than the ideal IoT security we expected.
3) and 4) rather have the nature of being regulative. 3) not only threatens the safety of oneself but also others, and 4), in order to allow billing (pay-per-use of energy) system to be fairer for all users, it is critical to have strict management and security supervision. Therefore, regulatory security can innovatively be applied as a method of pre-emptive security.
After all, being pre-emptive is all about minimizing the risks and threats after having decided to apply security in the very early stages when designing the entire system. It’s inevitable in order to prevent hazards and unfair charges. It’s similar to constructing private networks for the existing major infrastructures like the nuclear power plants, where they are only operated once enough security has been applied throughout the system and the network. It is established on a nation-wide scale as an infrastructure, which is perceived as an integral technology application process.
IoT Security as a ‘Life Security’
Since IoT is a combination of the existing IT security and OT (operational technology) it has higher risks of suffering from physical damages when failed to secure. Therefore it follows rather stricter rules and regulations compared to OT, which definitely needs a form of somewhat closed-security by blocking any risks even prior to connection.
If failed to accomplish IT security, the losses are assets at most, however, in OT security, it could be human lives. Let’s take a look at vehicles. Everything that has to do with insufficient vehicle security threatens safety. Remotely controlling the handle or locking it, changing the speed and stopping the engine, and manipulating the GPS location – all these examples have actually been proven by vehicle hacks.
Therefore security in vehicles basically means a protection that saves peoples’ lives. Major countries in the field are establishing and practicing vehicle security-related regulations. The US has announced strict regulations such as ‘SELF DRIVE Act’, ‘DoT Guideline’, ‘AV START Act’, and the EU as well with their own ‘EC C-ITS’ business, smart car cybersecurity-related recommendations by ‘ENISA’, in addition to the UK’s ‘Smart Car Cybersecurity Guideline’, ‘Vehicle Security Authentication Framework’ by EC, and ‘Vehicle Cybersecurity Principles’ by ACEA. In China, the government has established the ‘Vehicle Security Committee’ in 2016 and advanced continuously with its ‘China Cybersecurity Law’ since 2017.
Vehicle Security is ‘Transport Security’
However, vehicle hacking cannot be prevented by its in-vehicle security features only – hence it’s more about the whole transport security. As vehicles become smarter and connected, its ‘simple internet connection’ is transforming to allow the vehicles to become ‘direct participants of the transport network’ and now is on its way to universalization, thanks to the development of 5G and the surrounding environment.
It is critical to deploy V2X (Vehicle to Everything) communications security that is not only related to internal security but also other nearby vehicles and intelligent transport systems like the ITS. As a matter of fact, it needs to have the capability to support the edge computing security, V2D mobile integration security, V2G electric vehicle ecosystem security in order to fully accomplish the whole vehicle security system. Vehicle security is just like basketball’s full-court press, it deals with the entire transport system’s safety, via its whole-system approach.
On the other hand, the current vehicle security is mostly about a simple internet connection, which explains the reason for the deployment of telematics server security, terminal security, and general web security. However, as the vehicle directly starts to participate in the transport network, the security will also have to transform itself as well to ‘transport security’.
Vehicles also become connected to other vehicles, means of transport, smart roads and transport systems like RSU and C-ITS via V2X and also connect to energy services such as EV charging system and electrical grid via V2G. It is only feasible when there’s enough technical infrastructure including the traditional ICT security and understandings of the new technologies such as V2X and V2G, as well as distinct features of EV and PnC (Plug and charge). In other words, these are the reason for high barriers for new entrants to the market.
The Future of IoT Security
There sure are other areas to look into in transport-related systems. In addition to the developments of vehicles and transport systems like C-ITS, the EV market is foreseen to be taking over the fuel market and expand and grow as much as the potentials of the new and developing services and technologies. The EV market is not only about the vehicle itself, but also about the energy grid like the smart meter and eventually will form the entire technological infrastructure.
The industry also requires a higher level of technologies like ‘things authentication’ or ‘things decision making’ due to the process limitations of central management and inefficiency. We believe it will eventually lead to the development of BIoT (Blockchain + IoT) and guide the competitive edges. Therefore, as mentioned above, unlike the existing ICT security where issues were resolved by only taking financial responsibilities, IoT security could really have an impact on people’s lives. So now we should ask ourselves – the market is expanding, but is the security really sufficient?