Cyber security in IOT
Cyber security in IOT
Academic Level: Masters
Volume of 4 pages (1100 words)
Assignment type : Thesis
3- Literare review
4- Research questions
Social and Ethical Issues of the Internet,
The discussion of freedom of speech demonstrates the power and obligations associated with internet access. However, it does point out the importance of responsible use and also sites examples of how freedom of speech could be detrimental to the country or the system. Exploitation of child pornography is an example where responsibility must be exercised in order to maintain security and order for adolescents. The subject of free speech includes topics such as moral legitimacy, internet issues, promotion of destructiveness hate crimes, spam and intellectual property issues. Much like these topics are addressed from a legal stand point the protection of national resources and protection of organizations needs to be modeled and structured. Simply choosing to ignore these types of issues eventually leads to complete exploitation or usefulness of the network or organization involved. Congress has had to enter into these legal regulatory processes associated with free speech as it should promote specific cyber security measures for private industry. Some of these types of laws have even had to be tested by the U.S. courts systems including the Supreme Court of the United States of America.
While exploring this analogy we should look at the aspects of Government enforcement. There are various ways the Government can mandate these policies and rules to force industry to implement good cyber security measures in the interest of National Security. As an example the courts and congress have factored in on the rights involved with controls being used in public libraries to prevent access to pornographic and mature information to minors in the library. The congress adopted protection laws under the Children’s Internet Protection Act (CIPA) in 2002. The purpose of the Act is to limit the exposure of explicit material in public libraries. This issue has been debated and tested all the way to the U.S. Supreme Court (American Library Association v. United States, 2002), which actually upheld the rules to control content. Additional legal protests were filed in 2003 (United States v, American Library Association, 2003) which resulted in rulings that alternative channels be made to allow adult viewing of blocked content. Using this example as a basis to enact Government enforcement for cyber security implementation requirements, demonstrates that the Government does have mechanisms to enable this. Furthermore the U.S. Courts provide the balance to test the checks which congress may adopt. This system of checks and balances provides a way for enforcement to be groomed and establish solid criteria for how private industry can be held accountable for implementing sound cyber security systems while not be unfairly forced to violate the U.S. Constitutional rights or put unfair burden on them to fulfill this need.
Another example of how private industry is required to enforce proper security, which includes cyber security, is in the commercial airline sector. Obviously the U.S. has adopted strong physical security requirements for public transportation in the aviation community. The advent of the Transportation Security Administration (TSA), created in November 2001 in the wake of the 911 attacks, clearly demonstrates the Government’s ability to enforce process and procedures with regard to commercial elements considered vital to national security. Within the charter of TSA, cyber security considerations are included in it various regulatory authority. Beyond the scope of the aviation community the TSA also has the responsibility to provide security for national pipelines which carry hazardous materials. In September 2002 the TSA formed the Pipeline Security Division, within what is now called the Office of Transportation Sector Network Management (TSNM). The TSNM has established a set of security guidelines which support the actual Hazardous Materials Regulations. Within the guidelines is a section dedicated to business security and entitled, Corporate Security Program (CSP). The program contains guidelines for companies to adopt a risk-based corporate security program to address and document the organization’s policies and procedures for managing security related threats, incidents and responses.
The CSP identifies specific areas which must be addressed by private operators doing work with the pipeline system. The elements addressed include:
• Administration and Management Structure
• Risk Analysis and Assessment
• Physical Access Security Control Measures
• Equipment Maintenance Testing
• Personnel Screening
• Personnel Training
• Drill and Exercises
• Security Incident Procedure
• Incident Response Procedures
• Plan Reviews
• Record Keeping
• Supervisory Control Data Acquisition Cyber System Security Measures
• Essential Security Contact Listings
• Security Testing and Audits
A separate section is located within the guideline documentation which is dedicated specifically to cyber security addresses guideline for securing the IT environment. The section titled, Cyber Asset Security Measures, establishes a criteria to ensure IT systems are accounted for and the compensatory controls be applied as part of an overall defense-in-depth approach. One may recall that Cisco also used a similar approach in their response to cyber security responsibility. A cyber security measures table is provided with the document providing criteria segmented as follows with the purpose of ensuring a cyber secure environment exists by the pipeline operator. A sampling of the measures shows a mechanism which could be used for other Government mandates to other industries.
• Baseline Measures
o General Security Measures
Discusses types of devices and system to be evaluated, frequency of evaluation and methods.
o Information Security Coordination and Responsibilities
Discusses the development of documentation and teams to support ongoing discussion and security improvement throughout a system lifecycle.
o System Lifecycle
Ongoing design refinement, patching and review processes.
o System Restoration and Recovery
o Intrusion Detection and Response
o Access Control and Functional Segregation
• Enhanced Cyber Security Measures
o Access Control
Methods of restricting access.
o Vulnerability Assessment
Methods and frequency limits of assessment.
It’s obvious the TSA has created a detailed structure which is imposed upon private organizations doing work with the national pipeline network. These guidelines could easily be modified and adopted by other federal agencies to further support the imposition for control onto the private sector.
In summary, there is plenty evidence to support the position that private industry should not only take on the responsibility to ensure they have secured their IT environment but in some cases even contribute to other organizations information and even solutions, when applicable, for others to synchronize and make use of synergies. In cases like Cisco their work in the federal sector is a driving force for change which can carry on to other private organizations by default. There is also legal precedence to substantiate the creation of laws and litigation controls which could be applied to pressure private industry to take on specific responsibilities when it comes to cyber security and in turn protecting national security interests. The next steps are to determine the proper authorities initiate the movement or to perpetuate phenomena of cyber security awareness and ownership via multiple Government agencies. We should not wait for the next incident to occur before reacting since it is already on the radar, according to the National Security Agency, that the next significant military assault is highly likely to contain a cyber threat component (McConnell, 2011). This already has occurred in recent international conflicts when Russia attacked Georgia and disabled most of their internet communications as part of the attack. The U.S. Government and private industry need to further the progress of cyber security by growing this give and take and give relationship. In conclusion, we have not only shown that private industry should take responsibility in contributing to the protection of national security, but examples of how it is already being done and the value to both the private sector and the Government. Secondly, when addressing the question of the Government imposing rules and telling private industry how to go about cyber security, that also has precedent to validate how this is and can be done. An important point with this though is that the Government does not directly tell the industry how to implement cyber security, nor should it take on that level of responsibility and liability. It does and should however; establish guidelines that help to standardize the implementation. Enforcement of the rules can be done using the Government processes of check and balances our Government has established over the past almost 250 years.