For the internet of things to become a business enabler in India, security considerations must be adequately addressed.
Key ingredients, according to Aruna Sundararajan, Telecom Secretary, Government of India, are:
- The right set of data security and protection policies as part of the regulatory framework;
- Security standards at the network, application, product and device level;
- Classification of data critical to IoT services; and
- Understanding data flow in real-time with adoption of key technologies and building security features around it.
"While having a data security plan as part of the IoT blueprint is encouraging, the project owners need to be cognizant of the challenges IoT implementations could bring."
Sundararajan's comments came in remarks at the recent IoT Congress event in Bengaluru, where Deloitte and NASSCOM revealed results of a new study.
According to the study, India now has 41 IoT use cases, including smart manufacturing supply chain, service operations, transportation/logistics, healthcare, smart governance and smart utilities.
At the event, Sundararajan said regulators have worked toward including data protection and privacy as part of an IoT framework. For instance MeitY and the Telecom Regulatory Authority of India have come up with an IoT framework that mandates certain data security measures (see: What Makes India's Telecom Sector Vulnerable to Attack? )
Data Protection and Privacy
MeitY is hopeful that India can build a $15 billion IoT industry by 2020. And it, an other agencies, are taking actions aimed at achieving that goal as part of efforts to develop 100 "smart cities."
For example, MeitY has been developing standards for operating IoT across technologies and using data security as an enabler for adopting IoT. It has appointed nodal organizations for driving and formalizing standards for technology, process, interoperability and services. These standards will be built around:
- Communication within and outside the cloud;
- International quality/integrity standards for data creating and data traceability;
- Privacy and security.
The mandate for these nodal agencies is to build capacities that contribute to the economics of security. MeitY is working closely with Data Security Council of India and NASSCOM in driving these initiatives.
In another initiative, the government established a center of excellence for IoT in Bengaluru with NASSCOM, MeitY, Tata Consultancy Services, Intel, Amazon web services and FORGE accelerator.
Meanwhile, the telecom regulator, Telecom Regulatory Authority of India, has included data security and protection as a key component of its IoT draft framework.
TRAI has mandated that every IoT project must include security imperatives in these categories:
- Technical: Encryption, ID management and privacy-enhancing technologies;
- Legal/regulatory: Consumer consent, collection limitation, user limitation and accountability;
- Socio-ethical: Consumer rights, public awareness, disclosure and consumer advocacy;
- Economic/market: Self-regulation, codes of conduct privacy certification and consumer education.
Sundararajan believes a collaborative approach will help develop effective and appropriate security solutions to meet the IoT demands.
While having a data security plan as part of the IoT blueprint is encouraging, the project owners need to be cognizant of the challenges IoT implementations could bring, including:
- Ensuring that users trust that IoT devices and related data services are secure from vulnerabilities;
- Guarding against the risk of poorly secured IoT devices and services being potential entry points for cyberattacks that expose user data to theft;
- Dealing with challenges around integrating IoT technology with operating technology and making data privacy part of it;
- Addressing the challenge of deploying mass-scale homogenous IoT devices, some of which have the ability to automatically connect to others.
IoT Security Skills
The government is hiring small start-ups to help build components of IoT security framework, turning to those who specialize in data security and secure data transmission, which seems the right move.
Sundararajan says TRAI is working with 65 start-ups in Indian Institute of Technology, Chennai and Hyderabad-based International Institute of Information Technology to develop products ensuring security by design for IoT needs.
Collaboration between government and academia is planned to develop skills in big data and artificial intelligence.
It's critical that an IoT framework integrate with operating technology. The key security imperatives for regulators and policy makers are:
- Data transferred through the internet must be encrypted;
- Multiple methods of authenticating users and devices must be implemented;
- Designing any infrastructure in such a manner that it becomes prohibitively expensive to compromise is essential.
Until recently, IoT growth was considered to be still in a nascent stage. But the initiatives taken up by organizations, along with the use cases identified in the new study, indicate that its growth in India is certain. A security architecture to address organizations' IoT security challenges will prove to be essential.