Cyber Ireland is partnering with Beyond IoT to highlight an often-forgotten area of cybersecurity
Everyone knows about device security - they just don’t think about what constitutes a device.
Laptops? Check. Desktops. Check. The local area network? Check. Routers? Check. Fridges? What? Sensors? Err . . .
Think about it: both the variety and number of devices that we routinely connect to the internet have exploded in recent years, and whether we realise it or not each one of these devices is, in essence, a computer - and a vector for attack.
LG’s robotic vacuum cleaner being hacked and turned into a spy in the heart of the home is bad enough, but domestic IoT devices are still, more or less, a novelty - and they are also hardly mandatory. The industrial internet of things (IIoT) is another story altogether, though.
According to Dr Eoin Byrne, cluster manager at Cyber Ireland, the internet of things is a real blind spot for IT security.
“The internet of things all depends on digital products, solutions and services, and sometimes IoT gets forgotten about when it comes to security,” he said.
Unlike with traditional devices, from tablets to desktops PCs to phones and even infrastructure equipment, security is, he said, too often an afterthought with IoT devices.
“I don’t think it’s seen as a priority when IoT solutions are developed, but there’s a new push worldwide, saying that security should be designed-in and not added-on later.”
Heretofore, one problem has been the necessary low-cost nature of the devices needed for pervasive IoT.
“Many IoT solutions are mass market, cheap and cheerful. They think about cost, power supply, communications and not so much [about] security - then it becomes a threat vector for industry around operational technology.”
Consider the havoc that could be wreaked on a factory production line that uses internet-enabled sensors, for instance.
Hacking low-power devices themselves is rarely the actual end goal, though.
“It can create a gateway into the multinationals.
“I recently read about someone’s smart bridge getting hacked - and, though that, the hackers got access into a manufacturing plant,” he said.
“We hear from agri-tech, which is a big sector for Ireland, and they have IoT devices, as well as people working on solutions for smart cities - again IoT - and they want to develop [better] security. We need Ireland to be seen as a secure country; security is moving from something that is seen as a cost to a unique selling point,” he said.
Founded this year, Cyber Ireland is a national organisation, supported by industry, with the twin goals of promoting security in Ireland as well as making the country a global centre for security.
“It is a relatively new organisation,” said Byrne.
“Our remit is to represent the cybersecurity sector in Ireland. We launched in May this year, but our development goes back to 2017.”
Cyber Ireland has its genesis in the realisation that despite growing challenges there was no one, overall national organisation in the area.
The response has been positive.
“We've had great buy-in from industry. We ran workshops in February and around 90 companies showed up to get some input,” he said.
Since then, 110 businesses have become involved, from a range of sectors including med tech, financial services, bio-pharma, and utilities.
“They all depend on IT and many of them managed crucial national infrastructure,” said Byrne.
Despite the global cyber security skills shortage - no less a problem in Ireland than abroad - the overall area of security represents a significant opportunity for the nation, said Byrne.
“We want to put Ireland on the map,” he said.
As things stand, Ireland is in a good position to become a regional centre for security, but more could be done.
“One thing we definitely need to see more of is shouting loud about cyber security in Ireland,” he said.
“Most people don’t know we have a strong cyber security sector, but five of the top ten firms are located here: multi-nationals like Trend Micro, McAfee in Cork, which has been here for ten to 15 years, and there are new clusters setting up for research and development. These are the kinds of roles you want to be attracting: McAfee, Mastercard IBM, a lot of top companies have operations in Ireland - and not just pure-play security companies.”
The domestic start-up sector is also strong in the area, said Byrne.
“There’s a lot happening on the indigenous side, but there definitely needs to be more work done to make cyber security a priority for government - though the National Cybersecurity Centre does a very good job,” he said.
The EU’s general data protection regulation (GDPR) has captured the headlines in recent years, but it is not the only regulatory framework, said Byrne.
The year 2018 saw the writing into law of the EU’s directive on security of network and information systems (NIS), a directive aimed directly at regulating cybersecurity and ensuing co-operation across borders.
Industries and businesses outside the sector are a mixed bag, however, with those who are obliged to take security seriously doing so but others lagging behind.
“Looking at the SMEs, who are a particular risk for cyber-attack, they think that because they’re small organisations or because they’re indigenous that they’re under the radar.
"Others think they are more resilient than they are in reality,” he said.
The tech pipeline
One issue that has bedevilled IT in Ireland for some years, despite the country’s importance as, arguably, Europe’s information technology centre, is the skills pipeline.
Nowhere is this more true than in cyber security, and Ireland is no exception to the global trends. Among Cyber Ireland’s membership, concern is high.
“The skills shortage is the number one priority for any company we are talking to,” said Byrne.
“On the other side, [the skills shortage] affords a huge opportunity to Ireland if we can get the talent side right,” he said.
The range of jobs available is wide, too, with basic, entry-level positions right up to post-doctoral research.
Of course, Ireland could never fill every domestic vacancy with an Irish national, but there is, nonetheless, an opportunity to increase awareness of the field among graduates.
The real work will have to start much earlier, though, said Byrne.
Specifically, in school.
“Having that skills pipeline is really important. We’re keen on making sure that the next generation of cyber security talent is coming out of primary schools and secondary schools [buy] at the moment computer science is being piloted, and only in 40 schools in the country - and cyber security is not part of the curriculum,” he said.
As a result, Cyber Ireland has plans to step in and offer practical help to schools and students, as well as university students and graduates, including by giving a clear career map for cyber security.
The first step is to make this information clear and publicly available.
“We’re trying to address those issues. We've mapped all of the courses that can get you a career in cyber security, and not just the technical roles either, and map it to the US framework,” said Byrne.
This framework, developed by the US National Institute of Standards and Technology (NIST), is known as the National Initiative for Cybersecurity Education, or NICE.
“It gives 52 different roles in cyber security - and, again, not just technical roles; it also includes things like law, GDPR, training and awareness, management,” he said.
Understanding that cyber security is not just about technical roles is vital. Given that attacks have targeted global giants such as Apple and British Airways it is increasingly clear that it is a business problem, not a technical problem. Activities are disrupted, customers lose trust, and, in some cases, as happened with a hacked venture capital firm in December 2019, money is directly stolen.
That means that while the technical tools - and nous - to fight cybercrime are essential, the entire question needs to be understood in a wider framework of business and social risk.
The positive side of this is that even those who have neither the inclination nor interest to work in technology roles can find opportunities to performing meaningful tasks in cyber security. They just need to hear about it as an option.
For school students, Cyber Ireland is making use of transition year to put cyber security as a career out there - and, hopefully, make it an interesting challenge.
“We're rolling out transition-year classes around cryptography, online security and privacy and more, and, at the end, there will be a career talk - and it’s all linked into the National Cyber Security Challenge, which is a capture the flag event,” he said.
Cyber Ireland is a key partner of Beyond IoT 2020, the global tech conference held in Cork on January 20-21, 2020. To discover more about the award-winning, international cyber experts who will be speaking, visit beyondiot.ie