Security standards for HK’s smart city blueprint

Pictured: Roland Pong (left) Daniel Chun (right)Imagine a Bluetooth-enabled toy or a Wi-Fi-enabled monitoring camera which are supposed to bring joy to kids and safety to homes are turning evil one day. They become a tool for hackers to collect your images and other personal information, and then hold you for ransom.

This is not a Hollywood movie script. This is already happening around the world. Children’s latest gadget Cloudpets and Cayla were reported as targets for hackers because their product and software design can be easily compromised. Reports by CNN, NYPost have reported that Cloudpets could leak voices, photos and location information. BBC also has reported that the Cayla doll also exhibited the same potential vulnerability to hacking.

When IoT becomes more pervasive and millions of new products become connected to the Internet, there will be more vulnerability found and cybercrimes unfolded from these IoT devices. Viruses, Trojan horses and ransomware are not new, but with IoT, they could easily perpetuate to the new things that promise to be connected, smart and Internet friendly.

Bringing standards to HK

At the Smart City Consortium, we believe the best practices and standards like ISO/IEC 15408-1:2009, also known as the Common Criteria, should be adopted in the HKSAR Government’s upcoming smart city blueprint. Furthermore, the Government through the OGCIO should also consider building its own IoT security certification centre that follows the Common Criteria.

The adoption of this standard is expected to provide evidence and traceability of the IoT-related products. It also helps these products conform to minimum security standards and formulate a governance framework suitable to combat any potential risks in data management.

Consumer electronic products may not require the highest level of certification, as compared to the enterprise systems such as payment terminals or mission-critical sensors-based systems. It is nonetheless necessary for the government to start thinking about the need for certification and the associated talents.

Another area the government should consider is formulating a strategy in

Evaluation Assurance Level (EAL). EAL is a numerical grade assigned following the completion of the Common Criteria security evaluation. Consisting of seven levels, the EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

EAL can also help to protect Bluetooth-enabled devices, which are also adopted in smart city initiatives. With the new Bluetooth 5.0 standards providing higher performance, wider reach and better connectivity, it is essential for associated attacks like Bluejacking, Bluesnarfing or Bluebugging to be minimized with the EAL certification.

CC adoption in the region

In Taiwan, the ISO/IEC15408 Common Criteria has been adopted since 2009 and in China a similar standard has also been adopted by the China Information Technology Security Evaluation Centre.

The adoption in Taiwan and China demonstrate the need to raise standards of information security as a result of the proliferation of smart cities initiatives and IoT technologies.

The critical question that remains to be answered is not why, but how Hong Kong can adopt this certification. Who within the government should enforce the certification of IoT-related products? Is it the responsibility of a particular government department like the Electrical and Mechanical Services Department or a third-party body? These questions need to be further discussed.

Ronald Pong is the Chairman of IT Governance Committee at Smart City Consortium (SCC) and Daniel Chun Chairman of Smart City Blueprint Special Interest Group at SCC. Smart City Consortium is a non-profit organization based in Hong Kong set up to share our expertise, advice and views in collaboration with other professional bodies to assist the HKSAR Government in building a Smart City.

Image credits: Pexels (Creative Commons CC0)