Social Value Creation Report "Industry Eco-System"
The advancing spread and revolution of IoT
Security to support a safe and secure digital age
March 01, 2019
With the full-blown arrival of the age of IoT (Internet of Things), the use of Internet connecting devices is rapidly expanding in factories, supply chains, automobiles, medical facilities, and even homes. IoT is expected to be active in improving labor shortages and productivity, increasing mobility, and resolving a variety of other social issues. However, connecting fields that had previously had no connection to the Internet also brings about concerns over new security risks and the expanding influence of said risks. Since the diversity of cyberattacks targeting IoT devices continues to increase rapidly, government and business organizations around the world are working on establishing security guidelines that consider the characteristics of IoT, and initiatives in each industry are becoming more active. In addition to corporations developing more IoT products, creating IoT security measures is also a pressing issue for corporate groups aiming to further digitalize their supply chains and manufacturing sites, and NEC places importance on approaching diversifying risks on an organizational scale rather than at the on-site level. This report introduces recent trends and issues, NEC's solutions intended to resolve them, and our thoughts and initiatives for contributing to the realization of a secure and safe IoT society.
A social, industrial, and lifestyle revolution driven by IoT
Accelerating initiatives for the industrial revolution and the expansion of IoT devices
In recent years, the spread of IoT devices throughout the world has been advancing rapidly. For example, marketing research firm IHS Markit estimates that the number of connected IoT devices worldwide will jump from nearly 27 billion in 2017 to 125 billion in 2030. Furthermore, they have also estimated the growth rate in each field and industry (see the figure below). From these figures, we find that the smartphone and communications market, which includes over half of all IoT devices as of 2017, has already somewhat matured. And the projected growth rates from 2013 to 2030 show high growth rates in the following fields: commercial & industrial electronics, the field developing smart factories and smart cities (the highest growth rate at 24.3%); the automotive & transportation industry, where the spread of connected cars containing ICT device functionality is expected; and the medical field, with its expanding digital health care market.
Advanced smart factories that utilize IoT to collect manufacturing floor data, analyze and visualize said data, and achieve automatic control, optimization, autonomy, and other capabilities are expected to be the main focus of the next generation of the manufacturing industry. The continued construction of ecosystems centered around smart factories will lead to the realization of mass customization (manufacturing made-to-order products), reform of existing value chains, and the creation of new business models.
Various countries are also more actively working toward digitalizing their manufacturing industries. The website explaining the German government's official Industry 4.0 strategy features more than 180 activities occurring in Germany alone (as of September 2018). Additionally, the international IoT promotion organization IIC*1, which mostly works to accelerate the adoption of the Industrial Internet, has the membership of around 260 companies and government agencies, including some Japanese corporations.
Expansion of IoT devices supporting consumer lifestyles also accelerating
In the field of mobility, initiatives for utilizing IoT to develop connected cars and autonomous vehicles are moving forward. Meanwhile in the field of smart homes, in addition to detailed energy management via HEMS, AI speakers with voice assistant functionality are rapidly gaining in popularity due to the variety of services they provide, including controlling IoT home appliances and searching for information online. And in the healthcare field, there are initiatives aiming to allow doctors to monitor their patients' healthcare data in real time by connecting medical devices with healthcare systems and enable adequate remote diagnosis.
In these and other ways, IoT is expected to be useful in resolving a multitude of issues, such as by solving labor shortage troubles and increasing productivity in manufacturing, logistics, and retail, or improving mobility and reducing medical costs. However, as IoT permeates throughout society and linkage continues, we must pay close attention to the associated security risks and their range of influence.
*1 IIC: The Industrial Internet Consortium
Expanding cyberattacks: IoT systems become a new target
New methods of attack for the continuously increasing IoT devices
2016 was an opportunity to rethink security measures for IoT systems. In the past, PCs were used to send packet data to a target all at once to cause a server shutdown in what are called DDoS attacks, but the entry points used for cyberattacks expanded to include household routers, network cameras, and other IoT devices. Large-scale DDoS attacks via the malware Mirai used IoT to drive American corporations that manage addresses required for connection to the Internet into functional incompetence, leading to a variety of Internet services becoming unusable one after another. Mirai made the world aware that the increase of IoT devices will be accompanied by the expansion of DDoS attacks, and a large number of variants have since been developed, with infections spreading in multiple countries.
Cyberattacks targeting IoT devices show a tendency to increase alongside the increase in IoT devices themselves. According to NICTER*2 Analysis Report 2017, a surveillance record of large-scale cyberattack observation networks, published by NICT (National Institute of Information and Communications Technology), attacks on IoT devices comprised more than half of all cyberattacks in 2017, and methods of attack are becoming more sophisticated.
All IoT devices become the target of cyberattacks
In 2017, the ransomware (a type of malware that demands a ransom payment) WannaCry wreaked widespread havoc, greatly affecting even the manufacturing industry. The WannaCry attack was not focused on the manufacturing industry, but old PCs which ran OSes that were no longer supported and were used to control production lines, and on-site devices that were not subjected to security maintenance were infected with the ransomware, forcing many factories to shut down. In addition, WannaCry infected digital signage at train stations, ATMs, electronic devices at retail stores, and many other IoT devices, making it clear that any IoT device could be a target of a cyberattack.
Even in the promising field of connected cars, demonstrations by American researchers in 2015 showed that the brakes and other parts of automobiles could be hacked into and remotely operated, greatly shocking the automobile industry. The automobile manufacturers that were the subjects of this demonstration had to recall 1.4 million vehicles as a result. Furthermore, numerous threats to IoT devices are becoming apparent, including BlueBorne, a term for vulnerabilities affecting the Bluetooth functions used in many household IoT devices.
When fields that previously had no connection to the Internet start becoming connected, completely new threats are generated. In addition to improving legislation and creating various guidelines for IoT device security, working on IoT security measures from the view of manufacturing and supply chains as a whole has become a pressing necessity for corporations.
*2 NICTER (Network Incident analysis Center for Tactical Emergency Response): an NICT incident analysis center that performs observation, analysis, and countermeasures of cyberattacks
Required security measures that consider the characteristic of IoT systems
Hastening security measures for IoT systems
An increase in security risks has accompanied the rapid spread of IoT devices, which connect things that were previously not connected. IoT security measures must consider the particular characteristics of IoT, requiring wholly new approaches. Furthermore, the effects of IoT vulnerabilities pose a significant danger of becoming widespread, increasing the importance of security measures not only during development, but also following release.
In Japan, IPA*3 published the IoT Safety/Security Development Guidelines as a common guide for IoT security in March 2016. Based on this guide, the IoT Security Guidelines were formulated in July 2016 by IoT Acceleration Consortium organized in an industryacademia-government collaboration by the Ministry of Economy, Trade and Industry (METI) and the Ministry of Internal Affairs and Communications (MIC). These guidelines indicate several risks particular to IoT, including the facts that thorough monitoring of IoT devices is difficult to achieve, sufficient equipment of security measure functionality is complicated due to the resource limitations of IoT device functions and performance, and connections that were not considered by the developers may occur. The formation of guidelines that consider the particular characteristics of IoT is underway at a variety of organizations in Japan in an effort to combat the rapid increase in cyberattacks that target IoT devices.
Additionally, in an effort to accelerate IoT security strategies, METI has established the IoT Tax System (Connected Industries Tax System), tax measures meant to support the introduction of the systems and sensors required for initiatives that improve productivity via data linkage and utilizations which adopt fixed cyber security measures.
Industries also becoming more active in IoT security initiatives
Initiatives are underway in each industry with the aim of securing IoT security. For example, in an attempt to improve on-board security in the automobile industry, JAMA*4, JSAE*5, and JASPAR*6 are creating policies, criteria, and standards, as well as working to formulate standardized technologies and evaluation methods. CCDS*7 is formulating guidelines in the following four fields: on-board technologies, IoT gateways, financial terminals (ATMs) and settlement terminals (POS).
Efforts toward international standardization are also becoming more active, with ISO/IEC JTC 1*8/SC 27/ WG 4 working toward standardization based on the IoT Security Guidelines proposed by Japan. To ensure IoT security, IoT product developers, service developers, and service providers must link together, becoming aware of supply chain vulnerabilities and working to create security measures and systems, and it is important for them as well as for users to fulfill their necessary roles.
*3 IPA: Information-technology Promotion Agency, Japan
*4 JAMA: Japan Automobile Manufacturers Association, Inc.
*5 JSAE: Society of Automotive Engineers of Japan, Inc.
*6 JASPAR: Japan Automotive Software Platform and Architecture
*7 CCDS: Connected Consumer Device Security Council
*8 ISO/IEC JTC 1: International Organization for Standards / International Electrotechnical Commission Joint Technical Committee 1
Total support of IoT security measures at corporations
Providing IoT/OT cyber security support services based in practice
In order for corporations to properly respond to the diversification of risks that accompany IoT, it is important that all parts of their organizations work together on security measures. However, many corporations in the manufacturing industry and others are currently just performing initiatives at the on-site level, having yet to establish companywide security systems and structures. NEC has made efforts toward Secure Development and Operations for the products, systems, and services we offer our customers, as well as constructing organizational systems of promotion for them. Accordingly, we have also responded to the increasing diversity of IoT security risks, analyzing threats to security brought on by IoT device vulnerabilities and considering measures to combat them. While understanding the situations of use, people in charge of IoT/OT*9 device design and products also established methods of identifying threats that consider both functions and operations. We are also standardizing risk assessment methods for IoT systems and specific measures required for each model case, as well as creating and utilizing checklists for confirming execution of security tasks. In addition to the requirements of international security standards and guidelines formulated by government agencies and industrial groups, these checklists reflect security measures to counter new threats in a timely manner.
Through these practices, we cultivated the knowhow required to provide our IoT/OT cyber security support services. These services are offered to arrange customer security issues and support the measures to combat these issues. In accordance with IoT security guidelines, we provide upstream security consulting for support of creating rules and building systems, as well as a variety of security services that support development and operation (IoT design support, vulnerability diagnosis, IoT vulnerability information management, etc.). This enables total support for constructing companywide IoT security measures, including risk assessment, operation policy formation, development, and production.
Security measures based on IoT system characteristics gain importance
When creating IoT security systems and structures for corporations, measures that consider the characteristics of IoT systems are required. In IoT systems that distribute devices with hardware resource restrictions and various devices that employ network connection methods other than IP communication throughout their construction, including industrial control systems, it is important to strengthen security measures that anticipate the whole system. NEC provides products for IoT device management and OT network measures that respond to these issues, contributing to the realization of secure IoT systems on the customer's site.
*9 OT: Operational Technology
NEC products and technologies that support IoT system security
Securely manage a variety of IoT devices and prevent unauthorized connections
NEC also develops and provides solutions for IoT security-related issues suffered by corporate groups promoting digitalization of supply chains and manufacturing sites, in addition to products to help corporations incorporate their products in IoT. Particular focus is placed on the areas of remote management and automation of device security settings, access control for a variety of device connection methods, and the real-time detection and handling of malfunctioning devices, with the aim of strengthening products and services.
The device ID/key management software offered by NEC eliminates previously complicated management and setting workloads, while at the same time enabling secure management that does not require professional skill, meaning that an expert does not need to be installed on-site. It realizes remote/ automated management and configuration of IoT device cryptography keys and digital certificates that are required for mutual authentication and encryption intended to prevent unauthorized connections to IoT devices and the IoT systems that control them, which are constructed from gateways and edges that perform distributed processing. Additionally, the Lightweight Cryptography Development Kit is provided for sensors and other devices with hardware resource restrictions, enabling encryption and tamper detection, realizing security measures over a wide range of devices, which was previously difficult to achieve.
Blocking unauthorized access to a variety of IoT devices
NEC provides IoT Device Security Manager, which can visualize and block unauthorized connections and communications to the various devices that make up an IoT system. A strong point of this software is that in addition to IP communications, it also targets connection methods that are not covered by conventional ICT system security measures (USB, Bluetooth Low Energy, etc.), visualizing the connection and communication statuses of devices and enabling access control. It is also possible to set up an "inbound" measure using the whitelist measure which registers devices with connection permission. In addition to the automatic list creation function, focused remote monitoring of the connection and communication statuses of the various distributed devices makes IoT system security management and operation easier, reducing the amount of required labor. Additionally, by incorporating this product into their IoT devices systems, manufacturers can also strengthen the security of their products.
For security to support a society that fuses the cyber world and the real world
Initiatives toward security that supports the future IoT era
NEC will provide a secure and safe environment based on our long-established "Security by Design" concept whereby we introduce security measures from the design phase. We think that NEC is capable of reducing security risks because we have the knowhow from developing many different hardware and software products, and because we understand the business configurations of our customers, for whom we have constructed ICT environments for many years. Cyber security measures are not completed just by installing software or introducing systems. In order for increasingly complex IoT systems which connect more and more things to counter cyberattacks as they become more sophisticated and elaborate in response, it is important for security measures to continue strengthening systematically and dynamically.
NEC is also working on new initiatives for the IoT era. One of these is the development of a technology for automatically identifying the risk of cyberattacks, which uses simulations to create a comprehensive evaluation of cyberattack risks faced by control systems for important infrastructure, such as electricity, gas, water, and transport facilities, as well as for factories in the manufacturing industry. A virtual model is created by automatically collecting detailed system information necessary for risk analysis from actual systems, such as IT device structures and software versions/specifications, the hardware information of components peculiar to control systems (PLC*10, etc.), communication settings such as packets and protocols, and methods used for data flow and data transfer even when isolated from the network. This makes it possible to visualize the entire configuration of complicated systems and data flow, which has conventionally been difficult for even the most skilled specialists to understand. As a result, accurate and rapid comprehension of vulnerabilities for risk analysis can be realized. With this technology, attack images can be understood visually and automatically. Further, because the effectiveness of security when measures are taken can be repeatedly confirmed, potential security risks can also be detected.
NEC has been connecting people with people, people with things, and things with things, contributing to the development of a safe and prosperous society for many years. The current environment both on- and off-line is exposed to serious risks and threats. NEC will continue to utilize a comprehensive approach involving information, technology, and personnel to create a secure real world and cyber space, support industry and daily life, and lead to a better future. NEC hopes to design new social value that leverages ICT together with customers and to work toward a "Brighter World," while placing importance on the pursuit of intrinsic value for society and for customers.
We welcome your comments and questions concerning the content of this report and initiatives by NEC.
*10 Programmable logic controller
Please fill out this form and click "Download".