Matthias Bossardt (KPMG) on IoT security
As a security expert at KPMG, Matthias Bossardt stresses the opportunities which the IoT presents – despite security concerns. He calls on user companies to do away with their silo mentality regarding office IT and operational technology (OT).
Text: Hansjörg Honegger, Images: Daniel Brühlmann, 06 November 2017
You deal with IoT security. Do you sleep well at night?
I always sleep well; I’m an optimist. And people should be if they manage risk. Where there are risks, there are also opportunities. But one thing is clear: cyber risks and issues of data protection are very important, and we are lagging behind the technological developments.
Why is that?
We define the Internet of Things as the network of everyday objects embedded with computers, such as cars, temperature sensors, cameras, medical equipment, as well as industrial production and control systems. The points of attack are increasing massively with the Internet of Things. And at a horrifying rate.
«Surgeons were unable to operate, car manufacturers were unable to produce cars and logistics providers were unable to deliver goods.»
There have been a few incidents in recent months which have come into the public eye. What do you think were the most important events?
Generally I think that awareness of cyber attacks is growing. Take WannaCry, for example. That was nothing new, but it attracted a great deal of attention because we saw right before our very eyes the effects that cyber attacks can have on us all: surgeons were unable to operate, car manufacturers were unable to produce cars and logistics providers were unable to deliver goods.
Growing awareness is a good thing though, isn’t it?
Yes, in part. But at the same time, people soon get fed up of hearing the same thing over and over again. In the USA there is an obligation to report if certain personal data goes astray. There is a clear sense of weariness there. Nobody cares any more.
The EU is introducing the GDPR as well. Do you think that’s a mistake?
Don’t get me wrong, I agree that an obligation to report is necessary. Transparency about how many cases there actually are and the consequences of them is currently lacking. For us to understand the causes and take the necessary action, there needs to be more transparency. People are becoming more aware of this, though, particularly in the private sector. Greater transparency ultimately leads to more targeted combating of risks and, as a result, more efficient use of financial and human resources.
WannaCry mainly damaged systems which weren’t running the latest software. Is there a lack of understanding that IT infrastructure needs to be kept up to date? A bridge is restored before it collapses.
That’s a good analogy. When it comes to cyber risks we don’t have the same maturity as we do in construction or other engineering disciplines. Then again, control systems in the industry, for example, have a life cycle of 20 years or more. If those systems can be maintained at all, the operative risk of an update must be compared to the security risk. It’s not an easy decision. Furthermore, many sensors and other devices in the IoT are simply not designed to receive software updates. That means that certain established security strategies are not taking effect in the IoT.
«Many sensors and other devices in the IoT are simply not designed to receive software updates.»
What do we need to do to improve the situation?
A lot is already being done on several levels, but not always with the necessary determination or at the rate required. Policy has taken account of the issue, company managers are discussing cyber risks and the first product manufacturers are beginning to understand cyber security as a USP.
Ultimately, it is down to the manufacturers. There is a lack of standards and awareness that security has to be an integral part of a device or solution right at the development stage.
Unfortunately, security does not tend to factor in to the development of IoT devices; the features are given greater priority. That is something we really can’t afford to do. The IoT has a real impact on the physical world. Attacks can have fatal consequences on human lives.
What could be used as leverage?
Incentives need to be created to motivate manufacturers and user companies to put ideas such as ‘Privacy by Design’, ‘Security by Design’ and ‘Ethical Design’ into practice. It is imperative that systems be designed to be more resilient and robust. This could be done through industry standards and corresponding quality seals, or through suitable regulatory measures. In any case, it is important that all companies are able to act on equal terms and that innovation is restricted as little as possible. In addition, investors today are paying greater attention to how companies cope with cyber security. Devaluations of 7% of the company value owing to cyber attacks, as was the case with Verizon’s acquisition of Yahoo!, put investors off.
Where do you stand on government regulations?
I’m not a fan of regulations because they can shift the focus onto compliance rather than on managing risks. Nevertheless, we do need at least a certain degree of self-regulation in the IoT sector by means of standards. I have also noticed that product liability cases and expensive product recalls in the IoT have contributed just as much to an increased implementation of cyber security measures as cyber security and data protection regulations themselves (the GDPR in the EU or the new data protection law in Switzerland).
«Nevertheless, we do need at least a certain degree of self-regulation in the IoT sector by means of standards.»
For many user companies, IoT offers lucrative opportunities, despite all the security concerns. How do those responsible find the right balance between risk and security?
To find that balance, they have to identify and manage risk. However, we carried out a survey which revealed that less than 50 percent of those responsible have an overview of what is networked and how. Less than half said that the IoT featured in their security strategy.
Why is that the case?
Things have become more complicated. IoT devices are often run separately from traditional IT. The responsibilities for the operation of IoT devices and their security are not always clearly defined. Even the security of industrial IoT systems as part of the operational technology (OT) tends to be handled separately from the office IT, but in reality, the greater the convergence of the technologies used, the less sense it makes to separate them.
New forms of organisation are therefore required. What would you recommend?
People today have to think very carefully about whether the security of office IT and OT should continue to be run in separate silos. It is increasingly important to take a holistic approach to security. Vulnerability in the OT can be used for attacks on the office IT and vice versa.
Nobody wants to let go of their influence.
That can be resolved. What’s more important is the cultural difference between IT and OT and the human factor itself. In my opinion, one of the biggest problems in security is that the human factor is not understood or incorporated into security approaches enough at all. Very often, security approaches today come at the expense of user friendliness. Just think of the tedious use of passwords.
But when it comes to the IoT in particular, the human factor is diminishing: machines are communicating amongst themselves more and more, and data is evaluated automatically. Is it already too late to intervene effectively?
Ultimately, even IoT systems are designed by and for people. Either way, we simply cannot afford to do nothing. That is why the main priority is to design the systems themselves more resiliently and robustly.
«The efforts to get to grips with these risks are not enough at the moment; we need to step it up a gear.»
Who is responsible now?
Everybody. It falls upon the user companies, but also the IoT manufacturers, governments and the international community.
Everybody should, but nobody does...
I’m optimistic. Humanity has always taken a pragmatic approach to challenges like this. But I do agree with you. The efforts to get to grips with these risks are not enough at the moment; we need to step it up a gear. Not least is this extremely important for the Swiss economy.
Is IoT security more of an opportunity than a cost factor?
Of course, in Switzerland we have a unique combination of software expertise and the necessary engineering know-how in the industrial sector. It’s an opportunity for us, because the people in Silicon Valley don’t have the same degree of expertise as we do.
Partner, Head of Cyber Security and Technology Risk, KPMG Switzerland
Matthias Bossardt brings more than 18 years of experience to the fields of cyber, IT, data-protection and technology risks. He is also a member of the global cyber security leadership at KPMG and the digital board of KPMG Switzerland. In October 2016, Matthias Bossardt was voted one of the most influential ‘Digital Shapers’ in Switzerland by Bilanz, one of Switzerland’s leading business magazines. Before he joined KPMG, Matthias Bossardt researched communications systems and cyber security at ETH Zurich and at the Beckman Institute of Advanced Studies at the University of Illinois, Urbana-Champaign. He began his professional career as a microchip engineer in 1998.
More on the topic