Panel Discussion: Security risks in a world of connected devices

into the world of iots our next uh panel discussion is on security risk in a world of connected devices our modern world is increasingly interconnected with smart devices permeating every aspect of Our Lives from our homes and workplaces to our cars and even our bodies while the promise of a seamlessly connected world is tantalizing it comes with a host of security risks that demand our attention let us Del into the discussion uh to understand some of the key security risk associated with the interconnected world of devices let's welcome our esteemed panelist minati Mishra director product security Philip lakmi ner managing principal aack dhb uh he's a cyber security leader and Dakar prab director cyber engineering M this

discussion will be moderated by Shri de uh co- founder and CEO of SE show so good afternoon everybody and thanks Dakar minti lakmi Dees for being here looking forward to an insightful next 30 35 minutes on uh security risk in the world of connected devices I'm thankful to everybody who assembled it and hope we are able to make a difference we have got um mil s from NSD we have abur sir and ra sir so there are different people K from blue star of course so maybe all all everybody's having some Interlink with the iot nsdl could tomorrow have an Alexa integration blue star can have so there AC is talking in the world of iot

uh solar panels are there for the from a S and Tata a r I cannot spot in so looking forward to an insightful session hope we are able to make some difference here um I'll spend another two minutes if everybody could just um give a brief intro about themselves and then maybe we can get started thank you everyone thanks for having us first time in Ahmedabad and really liking the electrifying young crowd over here so looking forward to have a very engaging discussion and learn a lot so my name is Dakar based out of Bangalore currently working with ap mulmer I'm leading the portfolio of cyber engineering there hi uh thanks for being there we uh we

understand we have between you and your lunch but yes thanks and I'm minti from Philips Bangalore I am a director product security who set up the security Center of Excellence uh yeah hello everyone and thanks besides I'm for having us here uh my name is lxmi May I'm based out of Bangalore I work for synopsis and uh take care of the APAC level Consulting uh services this is d uh I'm also from Bangalore uh currently I'm working with Adobe um I manage multiple teams there uh offensive defensive and everything security engineering so really excited to be part of this panel thank you so next let's get started uh we Dakar will begin with you uh can you help me understand the

current state of cyber security in iot as to what what is the current state and what it help set the context as well absolutely so uh before I uh set the context I think uh let me uh look at the audience and try to understand how many connected devices are using so with the raise of your hand tell me uh how many are using one connected devices right now you can raise your hand if it is one okay one person says one that's more than that so how many are using two connected devices okay I see more hands how many are using three connected devices all right good number of hands four five yes so that's how it is

evolving so just to give you a brief history of how it all started and how it is going to look like that's what we are going to do here so it all started with uh possibly connecting a a sandwich uh Machine toaster sandwich toaster in the year 1990 so that was the first connected device by the some scientists I don't remember the name uh but it all started there and it evolved over a period and uh maybe a couple of decades ago there was nothing connected but today we are living in the world of connected devices and you have seen I mean it is just growing with the number of devices that we connected it could be

Smartwatch mobile phone and other gadgets uh this is on the consumer side and uh on the industrial side it's taking a new trend the adaptation in the industries automation is actually banking on a whole lot of connected devices whether it be barcode scanners robotics advanced applic of that is going to be the new norm and uh the adaptation is has a huge uptake so just to put a number to that 2023 the estimated uh budget of the connected devices is at 700 billion I repeat it is in billions and in the next 5 years uh the some of the consulting firms are estimating that number to be 3,500 billion right so that's the uptick of 5x

and revenue but any guesses what would be the Threat Vector that this pleof devices are going to bring give me a wild guess is it going to be the same 5x or is it be going to be higher so it's going to be higher just to put a number to that it's going to be 10x because the risk is also increasing at the same base so that's how it is evolving and that's where it becomes really important to have adequate regulations controls and processes and awareness inter phace yeah that's a brief uh thing thank you thanks for that insight um you talked about sandwich makers you talked about um different diot devices and how they would grow 5x or 10x so we

have menti from manufacturer side that's a coincidence that you know we have so let's say from MTI if you could you know share it from a manufacturer's perspective as to what would it be in case you know so uh I come from Phillips which is primarily focused on Healthcare now Healthcare is a major major adopter of iot devic and when it comes to healthare cyber security of iio of the device is almost synonymous with safety of the patient I'll explain it with an example so in year 2016 uh very famous researcher Billy R he researched on a infusion pump now what is a infusion pop that's pretty uh very prevalent in Western countries wherein you load

medicines in the pump and you mention what is the dosage which has to be given to the patient and then the patient is given those medicines based on the doses prescribed now the this researcher was in the hospital for a few days and he saw the infusion pump and then say said let me check if I can hack it and he went ahead and hacked it and almost all kind of vulnerabilities he found including you know non authentication and he was able to attack that infusion pump from a remote Network and change the levels of the medicines to be given so you understand how How Deeply is security related to patient safety now this is the reason

why the Regulators in the medical device field came aware of of this and have brought stronger measures from a regulation and I'm talking mostly about the US market where in Regulators like FDA play a major role and without that going through that gate we cannot sell in the US market which happens to the largest medical device market for us okay so what H what is the state now we have very strong medical device regulations which monitor right from the requirements to the entire product development and even in the post Market the security is living for the birth of the device and lives till the system is alive and just to mention for a medical device many times the end of life of a

medical device spans between 10 to 15 years so that's the lifetime of a device for which we have to maintain its security thanks MTI thanks for this so um we heard about Thea's perception about 10x growth we heard about your uh perception from manufacturers perspective as to how the uh typically from a healthcare angle so lxmi can you help me understand from the consumer Viewpoint as to how do we you know maintain that balance between the convenience that comes with the iot devices versus the security aspects Associated so what would be that striking balance so I'll take um from what the barer mentioned right about the number of connected devices that we have every day so um if if you kind of uh

take a percentage of that 700 or U 3500 that you mentioned to uh the number of consumer devices which which we each of us are connected to today that could attribute to around 60% of the entire connected devices in the world so which is like increasing um every every day right so imagine the situation that I at least out of the 60% which is say around 140 million or something like that so um around 60 80% is poed right so imagine the number of alerts that the current systems could really generate and that could give you an alert that there is a security problem there is something that is been spoofed and there is something

that has been tampered with the device that you are using do you think it any any of the any of the devices any of the monitoring systems that we have today is capable of handling that level of number of alerts I don't think we have any right so that's the magnitude that we are looking at when it comes to the attack surface when it comes to just the consumer part of it so a lot of this um I think I think um is is related to people as like us knowing what you are connected to at some point when someone said one I'm sure uh you're connected to more than one device not just now but in

your day-to-day life you're connected to more than one device maybe at your home right and then what you are connected to and what you are your uh your connected devices are connecting to as well so that is that is a pertinent aspect which is a lot to do with awareness when it comes to the consumer space because no manufacturer is going to tell us these are some of the security measures that we need to take to protect or to not not being attacked by any of the threat vors that we have I think for the consumer space I think awareness is the most important thing that I see uh will play a major role in preventing not nothing

else so probably that is why we had celebrating the cyber security awareness month this month October is known as the cyber security Awareness Month yesterday we did a small gesture by Illuminating the awareness by giving the candles so taking it up with D um can you help me understand some adversive uh per perception to this iot Security in general I think uh the worker started on the right note regarding the vastness uh of this topic uh we are talking about uh if if I have to talk about the uh attack surface because whenever we talk about adversaries we talk about the attack surface first so uh first of all it is very difficult to measure uh because

these are like most of these devices are blackbox uh but we are talking at a scale of uh 20 billion plus currently and uh with the stats that diwaker gave it is going to rise exponentially right so attack surface is not in our control second piece is what minati talked about uh the criticality of these devices if these are like medical devices we are talking about uh people's life at risk uh say for example consider any of the cloud application uh if it goes down or if it gets hacked maximum we are talking about uh Financial Risk or probably uh most of the time it is financial right but here it is going to be people's life

at stake so both from whether it is the attack surface and the criticality this is definitely a very uh very very critical topic so now uh whenever I have to talk about adversaries I always uh think from how we have thought when we were like uh we used to be uh involved in Wars so I I always remember this famous quote from this book called Art of War by sunju uh and it it it goes like this uh if you know your enemies you need not fear a result of 100 battle so right so it's very important to know uh who are your adversaries and that's what exactly we do in our uh adversary emulation so I I'll basically briefly

touch based on what is adversary emulation so adversary emulation is nothing but uh you basically do a setup wherein you try and emulate the adversarial Behavior so now you may ask how it can be done in the iot setup right there are so many devices uh most of these are like black box and things like that actually uh first of all Let Let Me Explain uh what are the different types of adversaries from the general Trend right so at the lowest level are the script kites which are like they just look for uh that big red button or a tool uh they just love running tools which are already there and um second level are

the researchers uh not the good ones uh who are here but the ones who are like hidden but also little bit more skilled than script KES third level goes to the um e criminals uh who are out there hidden they want to work for some profit a typical example is run somewhere as a service uh you pay them get them on your side and then uh planner and some the topmost is the nation state right and when we talk about iot and xot we are dealing against that level of adversary so how to prepare our systems at scale so that we are able to deal with such level right we all know what happened with Mirai Mirai botet

that uh hit us in 2016 I guess very uh simple attack when you look at it right it was just a case of default credential and uh finding uh a wornable uh software running on certain cameras and then the bot net was basically infecting any other uh uh camera and then joining the hands and finding other cameras to do the Dos attack so U what we have done and and I'm I'm talking more from my expertise from adversary emulation you can basically set up a system have adversaries or the researchers at one end and then capture the traffic as you know when you capture the traffic you'll get lot of meaningful insights because data is the new oil

right and then based on that I think karik shind and wandana also talked about uh in the earlier talk today when you get to that level at the traffic you can get lot of meaningful information from the traffic from a threat inel perspective and that can be leveraged to enhance the security at the other end so that's how I see uh the overall adversarial landscape basically U understanding the adversaries learning from the data that gets captured during the process so D you spoke about wars that reminds me MTI let's have it this way that you know imagine you are any way into the connected device you're manufacturing it so if your latest uh device is um I would say some kind of a

superhero if it was a superhero then what should be it superpow according to you yeah I would like my uh superhero to be like Hulk who can self heal itself so in software I would say that the support for patch ability and upgradability is the most important thing because if the device is having vulnerability I have an ability VI robust update facility to update the device and we fit it again and um okay and theaker if you know in this context if we talk about the most primary Threat Vector or vulnerability in the iot devices that you face today then what is the most primitive I mean I'm I can say there are a lot that can

be discussed but the most primary one of the probably most imperative one the Threat Vector of vulnerability that we can talk about I think in the world of connected Tech primarily if I look at the most easily compromising Threat Vector it would be credential theft so either you are storing your credentials in a plain text or a spreadsheet without a password or not protecting behind a strong encryption uh password manager or something it's easily prone to be le so that's one uh I can think of a lot of man in the middle attacks mitm is what world calls it yeah so man in the middle attacks are pretty much prevalent because of the uh most of the connected

Tech works with radio frequency Bluetooth and other connected tck uh mostly virtic so a lot of man in the- Middle attacks are prevalent in the industry in the consumer space somebody doing uh hijacking your radio frequency and all that uh at uh nation state and strong adversarial standpoint I could think of distributed denial of service so dos is a famous technique where most of the large Enterprises are falling pre to that uh with uh multiple attempts of doll happening from multiple regions and it's it's easy it's easy to attack a connected Tech quite with a lot of lot of investment in Tech yeah so these are the top three is what I have seen and

observed and working on thanks for sharing three of them so in this battle of you know I would say cyber threats connected devices or super devices um lxmi can you help me understand how organizations can Safeguard themselves because as he mentioned mitm so we all if if we talk about iot space then the organizations would depend on some f over the upgrades over there upgrades as with fota fota threats are there again based on mitm and stuff so he talked about DS so how can organization seal themselves and Safeguard them or be on The Winning Side I would say how would they be on The Winning Side that's a I think a bit tricky question because

there is no single solution that we can offer there is no one size fits all is what I would say so it all depends also on the type of iot devices that you are trying to protect for example something which is um uh something that which MTI said about the medical devices you have a connectivity of those devices it could be from home it could be maybe a blood blood pressure monitor uh which is fitted to a patient working know uh at home that is connected to a larger Hospital Network to monitor remotely from there it could be something that is like an infusion pump which is right there in the hospital um fitted with um

patient there that could be one kind of um device the other one could be the home uh devices the wearable devices that we are connecting that there could be um other ones like connected cars and stuff like that which is connected to a larger Network so all depends on the again to some extent that depends on the type of uh device that you're connect trying to protect as well so go back going back to the basics I think um putting the right basics in place about um U your secure coding practices having a robust application security measured secur by Design is very very important to any device no matter whichever you are connected to right and um uh beyond

that uh going also with the dynamic testing which is not is beyond your static analysis there are tools that are available to do sest um in the market which could help you to uncover the code level vulnerabilities beyond that how do you look at your deep and testing and Das specific test on these devices before they go out in the market is extremely important but keeping that all of that in in place protecting the ecosystem in which these devices are operating is equally important for example you deal with a lot of uh protocols these days through the LMP or jisma all of this when it comes to connecting to uh the devices so a lot has been um claimed about this

protocols I'm sure they they're secure in itself but many times the manufacturers miss looking at the fuzzing uh space you don't really look at interpreting or um seeing how we can first these protocols to see if someone can get into maybe manage the middle attack or maybe a spoofing attack to get into those devices which is which is extremely important which I think the manufacturers are missing that point in many many situations and then comes to the hub level security how do you segregate the network and also make sure for example at your home you have devices that is connected within the home and which is connected outside your home network how do you segregate those

Network as such to make sure that your things which are connected within the home remains within the home they are not exposed to the internet outside right so the Hub level security is equally important uh as well and then goes beyond uh the monitoring and tracking on a regular regular basis I think this is a layered model which everyone is familiar with which um and also as I said depends on what level what what are the type of devices that we are protecting and we are trying to deploy in the market so it not just from the manufacturing a deployment of these devices in the larger ecosystem plays a very important role in securing them as

well thanks thanks for that inside lakmi that also helps uh you know but when you talked about deep pend testing and all so that is where we fit in so it's good that you know how synopsis I mean sash tools and they could complement the Deep pen testing that we doing together we could help Shield the iot's ecosystem in general uh okay let's switch gears now let's have a quick uh game I would say let's let's do a quick game uh so Dakar and D this is up to you guys what I'll do is I'll name any connected device and maybe D you could help me with the futuristic thread Associated to it while Dakar could talk about a defense

mechanism okay let's take connected eyeglasses for example so what is the future itic threat that you see with the connected eyewear while Dakar I would want to hear from you on the defense mechanism of it uh the first thing would be being very portable I think uh the threat is obviously the physical threat to theft uh but more than that what I think is uh privacy uh because if it gets hacked uh someone who is uh wearing it uh actually hackers can have his eyes whether looking at what he's looking the password SE is typing so I think if it gets hacked and it is unknown I think privacy is at stake thanks a lot D I

think uh uh if I have to pick a defense mechanism which is not available in the industry today but something that has to shape up from a product manufacturing standpoint would be around uh centralized management of these devices if it is on the industrial side right so you have an option to push the updates and secure it disable some of the functions is what I've have seen uh in the industry that really works in the favor of Defense the other area is around implementing necessary controls not storing the credentials on a local uh uh machines or systems uh then possibly adapting to the necessary minimum baselines minimum guidelines uh adapting to the secure policies so those

are the couple of defense mechanisms I could think of in terms of end consumer products like this thanks Dakar thanks d uh let's have a round of Mythbusters both with you both so min and lxmi I would want to hear from you one common misconception that people have about this connected devices security what what could be the common misconception and MTI maybe you could you know confirm a bust it whatever so over to you lxmi there are a lot of beliefs around around the net the connected devices so one which I can think about and I think I think this is very prevalent uh in our home environment right so for example we have a uh was smart washing machine

right or maybe smart scale that is um uh connected at um to just just your phone it doesn't really store any uh sensitive uh personal information not it is connected to network it is just within the home or I have I have a TV I have a set of uh uh fancy smart lighting system which which doesn't store anything which is personal to me anything sensitive to me so uh to that extent I don't think they are to be protected with all this expens and TDS controls that we are talking about do you think so yeah audience pole busted right yeah so even if a iot device does not contain any sensitive information but by itself

there are three areas in which it can be misused number one the device itself can be act and cause fertilities like given the example of the infusion pump yeah it did not have any sensitive information at all but it could still harm a patient for that matter in a home environment if I have a microwave and it is connected and I can change the I can hack into it and change the parameter thresholds I can end up burning the home in in some scenarios so that's one area when which I can hack it cause fatalities second is even if I am not able to harm that particular device I can uh vulnerable iot can get me access to the network in

which it is housed so it can be a gateway to the other network that I house and the third one is like what we saw in Mirai botnet it is a pivot for other attacks to be launched so yeah busted thanks thanks uh hold on so I have got a couple of questions for you both as well so bti and LMI you know I wanted to understand laki you talked about organization being on The Winning Side I want to hear from you on more about you know the security by Design while you could add up from the government and Regulatory aspects to it as to how things are you know say that as as on date a very very important uh

question I think that's something that we miss uh when we um actually design or uh manufacture iot devices right so uh secure by Design when it comes to I think I think a lot of this with um um the reducing that actx surface I think that that's going to be one of the primary objective when it comes to designing the iot devices which would also get into how do we containerize and how do you kind of make sure that uh you have a secure specific environment which is where the this systems are supposed to be operated in that also adds up to um you know your external dependencies how do you make it like least privilege

the authentication control that daker you mentioned about one of the critical areas where many of the iot devices fail today how do you um um Implement robust um um and authentication controls to prevent prevent that the other one that um um that I can I can think about is also uh you have several Frameworks that are available right L2 M M2 M so a lot of lot of this Frameworks available they have um guidance around how to design each type of iot system if I go back to my earlier point about depends on what type of iot devices are you designing that point also get into uh the picture then another very pertinent aspect which

people Miss in the uh design perspective is about code signing and code protection uh aspect which is primarily a Threat Vector when it comes to someone tampering that code in itself and uh remotely and uh getting getting doors to the overall uh device and then again to the um other other connected devices as well so many times we don't we don't really look at code signing and code protection that comes into uh the picture when it comes to the design secure by Design aspect and the last one uh how do we Define I think that should be the first one to look about how do we Define the security design based on the data that it stores the data that it

process the connectivity that exposure that has into so so that is where um uh the list of controls how severe how strong these controls should be which um many times we miss uh in defining sometimes we overdo it sometimes we we miss them and also how to protect the Privacy uh aspect of is in the data cycle of the overall design of the devices so many times as mati mentioned the life cycle of a lot of devices is more than 10 to 15 years which means a lot of sensitive data will kind of reside in this devices for a longer time so in the design principle we also need to look at um uh I think uh I I'll go

back to the recent act data protection act of right to be forgotten or right to be I mean we don't have a right to be raised in that um uh in that act but how do we also mention about how to Archive how to delete the data which is stored in that um devices and overall life cycle of these devices to make sure that they are not left unattended they are uh left open for attackers to uh pick up so those are some of the design principles B basic design principles that we need to uh look at to summarize data attack surface and uh your trust zones uh based on which how do we Define the controls

around it thank you and uh I have to ask answer the question about regulations right yeah yeah yeah you he from me more on the government and Regulatory side because the manufacturer and that to typically in healthcare so you would be well aware got it let the audience know more about it yes yes while answering to the regulations I would like to First State something now whatever my co- parist said it's very important because regulation is an afterthought once all devices are in the market their vulnerable regulations come into picture and that to for them to be enforced it takes time so there is a time laap lapse between the regulations coming into picture enforced and the devices being

really secure so all these design principles of securing a devic is of Paramount importance for us to ensure that we are giving secure devices to our uh consumers or patients okay coming to regulations the couple couple of regulations around this area a bit too late though but I would mention a couple of them from a sector perspective I didn't mention about FDA earlier in which all medical devices in the US are regulated by FDA and the Very stringent uh development post Market surveillance regulations around it I won't go into any further similar ones are coming in the Europe region also but from an iot perspective we see change happening so you have seen uh devices having C mark

on them the C Mark basically means means that they have tested it for the hazards of emissions and once it is C Mar consumer can safely use that device in the house so now they are going to append the C marking with cyber security requirements that means if I buy a device especially in the Euro region after 2025 a c mark would mean that they are also tested for cyber security requirements so this is a game changer but just that it is a bit too late so after 2025 I can be sure that if I have a cmark device it is secure however there are still some things which the owner of the device should ensure that

they are still responsible for configuring the device even if it is highly secured they are still responsible for configuring the device properly keeping the right kind of password or whatever authentication they need to do keeping the right Network separation they need to do there are a set of responsibilities but with these regulations we are also enforcing the manufacturers do the right thing for the consumers just wanted to add had um also from Automotive perspective with the connected cars and in rice we see a lot of a few regulations that are coming up um ISO 22262 mistra all of these are coming up as well where um just like the C uh uh Mark the companies have been

asked to comply with uh the automotive uh security regulations as well so it's it's a good thing that we even if it is an afterthought PC regulations coming across the sectors to protect the iot devices within that thanks for that addition Insight LXI and thanks M for raising the bar about you know now next time we buy something in 2025 mayc fccd regulation would be cyber also talk about cyber compliance so has been up I believe in context of time I want Dakar and D I mean you would have been around so I wanted to give from you on the predictions that you see she predicted about 2025 being a year where we see uh

C regulation being uh talking about cyber compliance heard from lakmi as well on certain Insight so can you both talk about the future prediction maybe around three years or 5 years from now what state you see now of cyber security and again you already talked about the P or 10x growth in terms of the consumer adoption but in terms of in general the domain so where do we see that domain and five years from now I think uh problems uh majority of the problems that we talked about around iot revolves around identification and Authentication uh with the Advent of AI and ml uh I see those getting soled and we also talked about uh the uh opportunities with

threat intelligence uh in the previous talk so I think uh some of it will be adopted in the uh iot and X iot space and I think my answers are all coming from the previous talks uh regarding zero trust as well right so I see that also uh happening um and MTI mentioned about the mark the security Mark I think the bill uh got placed in July sometime uh and then uh we have also heard regarding the um uh need of moving the lowlevel programming code uh which is memory unsafe uh that bill has already been submitted in the US Parliament so if you have to do business with the US government you have to either move your

existing low-level code to to the high level languages which has memory safe or you have to show them a proof of a dynamic testing report right so all these things are becoming reality we are talking about 3 five years but it is happening now the journey has started at yeah and then uh s bomb I think which is security bill of materials I think it is going to be a game changer US US Government anyway they have yeah as bomb is reality now it's not fure anywhere reality that's where that's we have our portfolio Where We Are oping as B generation so yeah I mean we have also started at Robi our journey towards it

uh so yeah that that's what I feel most of it is like happening now but I think we'll see more of this in the coming future and they some insight close the absolutely shes thanks a lot D for adding that I think if I have to predict and look forward to what kind of connected Tech would be leveraged by all of us I think one campaign i' had been predicting this for a long time how many Star Wars fans in the house so they have been doing amazing job of predicting what this could look like in the future I I've been I mean they have been inspiring for Generations together and uh that continues and a lot of things

have been taken from that and uh Industries have been adapting developing new consumer products jokes apart I think you have to look at uh how health Tech specifically been following the work of neural link the health Tech of Elan musk and they have been making great strides in terms of uh the connected Tech and leveraging some of those implants whether it be in the brain and the human body so you get uh instant monitoring of your health stats on your mobile device or some other display so how is this going to identify detect some of the uh pain causing elements whether it be cancers tumors Etc in our body is going to be a big

tech industry you know from a health standpoint apart from that I think a lot of home automation and and connected devices are on the verge of uh Rising so we'll be I think we have a count of connected devices right now in future very soon we'll be losing the count of connected Tech or leveraging connected Tech in our lives so everything will be driven by a lot of automated uh connected Tech that's my prediction I have one more point so I'm someone who doesn't use any of the connected I mean I I I don't wear smart watches so just because I fear that someone is going to use my health data and I see T to 10

years five years down the line we have strong privacy regulations in place where someone is using that without my permission they are going to be penalized and I can absolutely choose to wear my Apple watch thank you very much great Insight uh lot of uh Ling for allas this is the new area for the cyber security industry Community uh Min you talked about 2025 that regulation coming some more things coming up in US yes uh see are we taking Pace with how we are evolving right the yeah I generally go to Basics we have is 7000 one which came version came in 2013 next one only came in 2022 yeah and Auditors would never relate it to the cloud infrastructure it

was purely built towards the on PR infrastructure yes so what as an industry we can do work with governments to keep ourselves in Pace with how technology is developing yeah sure uh thank you uh a very good point I couldn't touch on this because of lack of time even though regulations are coming late standards are already there so be it my standard or is ISO standards for securing iot devices are already there regulations are a means to enforce it so this is just to say that people are doing the right thing and if you don't do it you won't get entry to the market regulations are doing just that so we already have the basics in place

and we should be actually complying to the standards just that unless we have the backing of the regulations nobody can force it on us so that's the only difference regulation is making but the standards are already proven and there in the market in the industry rather thank you thank you yeah so ask uh typically we follow for web right so but uh there is iot uh uh iot security Foundation that is doing some excellent work around this uh as M ma'am said even if a iot device doesn't contain any vulnerable information it can let uh get us access to a network the first thing that came to my mind was the printers in the stuck net attack uh I believe the

Stu attack is very famous so the main target of the Stu pack was a industrial controller in a nuclear lab it it is a digital device but it it is not necessarily a smart device so I want to ask you how vulnerable are devices which are not smart but digit digital in the iot age can they consider an iot device because they are just digital but not smart and how vulnerable they are to any attacks or all attacks in the upcoming I boom or the current standards and or the current industry so this open is open to all balance thank you so interesting uh question so um when it comes to the digital space right it's just like any

any of the devices for example your routers your switches or any digital uh device in the digital space is vulnerable to attack right so um of course you have the configuration controls that will prevent uh attack attacks from that and um the Pat the ability to patch them on time becomes extremely important to prevent uh the attacks on them and then again your network your uh your surrounding controls wherein these devices are located that is where that is something which we many times we miss on the configuration controls on the deployment space so with both these things we should be able to protect uh um protect these devices can just add since this is specific to the uh OT side of the

industrial uh area uh it's a usual practice that these devices are locked on for any IND user tampering and uh I think firmware upgrading or just updating these devices comes with a lot of physical challenges having access to these devices should be restricted to only specific personal so that could be one control where uh they are not tampered so if it is centrally managed I think pushing the updates centrally managing it from a console or from a operation Center is much easier way thanks a lot for asking that question he thank you it was very interesting panel discussion and uh we heard the 50% iot devices in the hands of the consumers so when we talk of Standards

we know how consumers are they are so good in following them today even after 10 years uh there are many I'm sure here who did not change their home router password from what it was that's right that's isn't it and now these IOD devices are given in their hands and that to in volumes like I have one home router but I have five to six connected devices uh so do you think the OEM the manufacturers of iot have actually taken this psychology in mind before they manufactured and introduce the security assuming that the consumers will not be sensitive to it actually the interesting fact is what I have seen from the security standards okay they don't take

into consideration the consumer Behavior I'll give you an example so you route would have a default password if you see the new routers they'll enforce you to change the password of the person that's a easy way to change the password similarly now many devices will enforce you to structure a stricter password so there there are ways in which the standards do lay out that this should be done so that the consumer really doesn't have to take all the responsibility of securing securing it so yes it is in place but yeah lot it may not be 100% but yes we're going there so the other side of my question is from the industry players point of view so anything we

even if you take ISO 271 or NIS or pcss everything can be implemented in two ways one in spirit and one in tick mark compliance mode isn't it so when it comes to talking about iot usage in industrial applications do you think that tickmark compliance part has been removed from the basic approach of implementing it or it still continues because if it still continues it is like having a firewall tick mark I have a firewall with a rule any to any allowed when we talk about whether the iot implementation are in spirit or are a tick mark policy yeah like there are standards as I said standards can be implemented in two ways one is in compliance mode I have it take

and the other is in spirit yes I really want to protect it now when we talk from iot point of view fortunately in the olden days for ring out applications you had months and sometimes years today you have days and hours so what's happening whether the St are being implemented in tickmark mode or in spirit I would say they are being implemented in spirit at least at the organizations that are cyber aware so uh be be the leading startups or be the Enterprises where because the incidents are on the rise now so people are more keen towards not being just a due diligent company or who has under due only for uh maybe to raise funds or to

maybe meet certain audits or compliances but they are more focused on world exploitable metrics or they are more concerned about contextual relevance as to how we can bring in context and how are they actually shed in their context in their business context are they actually obeying the principle that is what is their out when the implementation and that is where the compliances now are driven by spirit and not just by a TI Mark Ori if anybody wants to add they can I can add uh I think when it comes to compliance uh basically two things right one is test of design and then the second piece is test of Effectiveness uh we are at a

juncture wherein the design part is there that's where you are talking about okay firewall is there but any to any mapping is there but test of Effectiveness somehow is not happening and that is the reason and and what I feel feel is the cost Factor also has it because these devices were developed in a batch considering the cost in mind and if I have to make sure that I have memory for upgrade of my firware five years down the line I have to keep extra memory along with every device which is not cost effective for me right so and they know that Effectiveness is not much controll currently by the compliances so I can just do away with test of design

so that's what I feel thanks thanks yeah uh so I want to thank being from an I2 background myself uh this is a very interesting topic for me and yeah like the ecosystem the product ecosystem varies for each device so we cannot restrict it to only one type of devices so thank you for like asking a variety of questions on a variety of products because because people who are not from this background they will not understand that each product has a different ecosystem and they all require different types of measures to be taken for them I found it very insightful and people have engaged a lot thank you so much for your time