New IoT Policy: The Security ConcernsExperts Call for Evaluation of Privacy, Risk Issues
India's proposed Internet of Things policy needs to clearly define the governance scope and standards to ensure data security and privacy. This is the stance taken by security experts in response to the Department of Electronics and Information Technology's draft IoT policy, which has a stated objective of creating an IoT industry in India of $15 billion by 2020.
The Internet of Things can be loosely described as a network of interconnected devices that can be accessed through the Internet. DeitY's IoT Policy, introduced in October, is proposed to be implemented via a multi-pillar approach, with security being one of the key pillars.
But Delhi-based Anbhav Batla, head of privacy and risk at SDG Corp., a technology consulting and risk management solutions provider, says the big challenge for CISOs will be security and privacy of information shared over so many so-called smart devices, including televisions, automobiles and even household/office appliances. "CISOs need to think of a strong governance framework to tackle data leakage and privacy issues," Batla says.
The policy aligns with the government's plan to develop 100 smart cities in India, for which Rs 7,060 crore has been earmarked in the current year's budget. The number of internet-connected devices (12.5 billion) surpassed the number of human beings (7 billion) on the planet in 2011, and by 2020, Internet-connected devices are expected to number between 26 billion and 50 billion globally.
"IoT can help automate solutions to problems faced by various industries like agriculture, health services, energy, security, disaster management, etc. through remotely connected devices," says Delhi-based Dr. Ajay Kumar, director general at NIC, the government body which laid down the IoT draft policy.
The top concern for Dr. Kumar is handling the vast data churned out during the smart city program roll-out. "Monitoring the entire data and handling data privacy issues and not allowing the data to be compromised is a challenge," he says.
Creating Nodal Agencies
As a first step toward enabling secure IoT, DeitY is appointing relevant nodal organizations for driving and formalizing standards relating to technology, process, interoperability and services. These standards will include:
- Communication within and outside the cloud;
- International quality/integrity standards for data creating and data traceability;
- Privacy and security.
But Vinayak Godse, director, data protection, at the Data Security Council of India, a NASSCOM initiative, expresses concerns about the latter point. "There is no clarity about technology standards or creating an eco-system to deploy best security practices," he says.
The nodal agencies should be able to build capacities that contribute to the economics of security, Godse says. Then they can launch pilot projects and solutions while creating a technical framework and co-ordinate between different industries.
SDG's Batla says nodal agencies must oversee data privacy and also how data is collected, stored, processed and retrieved.
Creating National Expert Committee
Dr. Kumar's next step is to create a national committee for developing and adopting IoT standards.
"The expert committee comprises industry experts/organizations who can identify technologies and develop an open framework for IoT," he says. While there are no defined timelines, the committee will be set up as soon as the policy get the approval from the cabinet.
Some aspects the committee will oversee are:
- Creating technology architecture around the IoT framework, ensuring platform interoperability;
- Identifying security and privacy-related technologies;
- Participating in the standards committees of ITU, IEEE and other relevant global forums for standards-making in IoT.
Godse says the committee must get down to handling technology to create a better interface between user and applications for addressing threat vulnerabilities.
Other experts caution that agencies and regulatory bodies must not over-regulate or create unnecessary regulatory burdens for CISOs. There is also a need to increase information sharing. The key role of Computer Emergency Response Team is important, too.
How to Handle Risk and Privacy
Responding to the draft policy, Sanjay Kaushik, a Mumbai-based senior infosec professional and a member of the IoT association, recommends a security reference architecture for data privacy issues.
As for data protection impact assessments practices, observers stress the need for generic guidelines and flexibility to adapt to different industries. Some think that requesting users' explicit consent for each and every application will hinder IoT development.
From a risk and privacy standpoint, some critics believe that users' consent is essential. Also, the draft should stress that personal data should not be used for means beyond those stated for the purpose of the application without the user's explicit consent.
DSCI's Godse recommends the IoT framework for any enterprise should integrate with operating technologies, and data privacy should be made an integral part of social demographics.
Bangalore-based K N Swaminathan, vice president, information security at TVS Motors, the largest two-wheeler manufacturer, lists key aspects that help address data privacy and risks:
- Data transferred through the Internet must be encrypted;
- Multiple methods of authenticating persons and devices getting into the networks must be implemented,
- The background of persons manning sensitive installations and jobs must be verified and periodically checked. Job rotation may also help.
Dr. Kumar welcomes the input and says additional industry insight is being sought.
"We are awaiting more feedback from security professionals before [the draft] is put up to the cabinet for approval."