The Internet of Things (IoT) realizes the ubiquitous connection between things and things and between things and people, making the Internet of everything from ideal to reality. The Internet of Things is injecting new vitality into more and more industries, including the Internet of Vehicles, the Industrial Internet of Things and the Home Furnishing Internet of Things.

In the 14th Five-Year Plan, “Internet of Things” is designated as one of the seven key industries of the digital economy, and it is clearly pointed out that the layout will be carried out in three aspects: infrastructure, access capacity and application scenarios. There is no doubt that the Internet of Things has become an important part of China’s 14th Five-Year Plan construction and will usher in sustainable growth space.

However, while the Internet of Things technology brings new opportunities for people’s livelihood, economy and enterprise development, security problems such as hacker attacks, network attacks, information leakage, privacy protection and so on are emerging in an endless stream, and the harm is more prominent. The security of the Internet of Things has increasingly been widely worried and paid attention to by enterprises and consumers. How to effectively use the advantages of the Internet of Things technology to create value for their own development has become a “must answer” for participants in the Internet of Things industry.

Therefore, in view of the “Internet of things security” the core proposition, the current “industrial security think-tank interview” had invited hao-ren ke, director of the institute of China academy of information and communication security and industry veteran CSO Zhou Zhijian two experts, from Internet safety according to the current law and the future trend of parsing IoT security pain points and construction. https://www.qq.com/video/s323…

Internet of Things applications continue to land, behind the security issues to be resolved

Q1: While the Internet of Things brings a lot of convenience, its security is also widely concerned by the whole society. What general rules and trends can be found from recent IoT security incidents?

Ke Haoren: From the overall rule, first of all, the attack mode is now more diversified. From the original some relatively single means, for example, between 2000 -2010, are a number of viruses Trojan horses, personal privacy and other related attacks in the majority. However, in recent years, the target and means of attack have gradually infiltrated the industrial field of Internet of Things application or some other industrial fields. Originally, the security attack of the Internet was application-oriented, but now it is oriented to a variety of application platforms and a variety of intelligent terminals of the whole Internet of Things.

Attack technology has also changed. Hackers or other organizations with attack objectives will use new technologies such as artificial intelligence and blockchain to launch attacks. Especially when it comes to the enterprise side, the application of Internet of Things technology is more likely to lead to the attack of organized behavior with commercial purpose or hostile countries. The whole attack mode, tools, technology, relative to the original personal hacker attack is not quite the same, it will cause more harm.

Generally speaking, the Internet of Things application scene should be divided into multiple levels in the future to carry out corresponding security design and protection. Because individuals pay more attention to personal privacy protection, but enterprises pay more attention to business applications, including industrial data or business data security protection.

In addition, our country is also pushing digital transformation, focusing on industrial transfer and upgrading for some state-owned industries and enterprises, and Industry 4.0. In this process, Internet of Things technology is widely applied, and the security of Internet of Things will be more concerned by the country. In the general trend, some policies and standards related to the security of the Internet of Things will tend to be improved, but it has just started at present. Although the Internet of Things has been introduced for more than ten years, the top-level design of the security of the Internet of Things is still relatively weak, whether in terms of guidelines, standard policies or laws.

Zhou Zhijian: My personal understanding is that the Internet of Things has not been promoted on a large scale yet. It is actually still in the conceptual stage. But the time for IoT to explode will come soon, as the country is now engaged in the digital transformation of its entire state-owned enterprises. In terms of trend, in the next five to ten years, the trend of the Internet of Things will become more and more obvious.

The Internet of Things is like putting all our phones on the Internet. As long as we put them on the Internet, it will have security problems. The equivalent of everything in the production environment, exposed to the Internet, its security issues will be very significant. This means that security is a deep business issue.

Q2: What common security pain points do you think exist in the current IoT industry?

Mr. Kehaoren: First, personal application scenarios for users, including consumer Internet and mobile Internet. First of all, the diversity of terminals. In terms of communication, the wireless communication protocols we use, including ZigBee, traditional telecommunication 3G, 4G, 5G and industrial communication protocols, will be difficult to protect against the changes of intelligent terminals. In addition, because of the large-scale and massive applications of the Internet of Things on the side of the terminal, it is difficult for defenders to achieve effective protection. For individual users, Internet of Things applications have increased the convenience, but personal privacy protection is still in a relatively immature stage. This is also the focus of protection, to solve the pain point.

Second, from the enterprise side, the application means have been relatively mature, but many enterprises dare not use, is the so-called security pain point. Because he does not know what security risks or new security risks will exist after the application of Internet of Things technology by enterprises, and the security loss may be more serious than the convenience gained. For the popularization and promotion of Internet of Things applications, as enterprise users, there will be such concerns.

At this level there are some pain points that need to be addressed. However, enterprise users need to solve the top design, from the whole safety closed-loop management, to solve the security protection requirements of the business, which will be a more appropriate way for enterprise users.

Zhou Zhijian: The key issue is that there is no big, actual scenario trend in the industry. The participants in the Internet of Things, such as IoT platform and IoT device manufacturers, do not have good standards among them, there will be a lot of confusion, this is the biggest pain point.

This kind of pain point leads to the problem of how much output enterprises are faced with when they invest in security because there is no scene. Their interests are not proportional. This is the most fundamental core problem, and it is not that they don’t want to do security. When the scene is broad enough and the impact of security issues on his input-output ratio is large enough, this pain point will naturally disappear.

How should security vendors respond to ensure the security of the Internet of Things industry?

Q3: What are your suggestions for the security system of the Internet of Things?

Ke Haoren: It can be discussed from two directions, one is safety management, the other is the establishment of safety technology system.

First of all, from the safety management system, there are several dimensions:

First, the competent authorities of the whole country, the competent authorities of the industry and all parties of the industrial chain should improve the construction of the top-level system and safety management system. For example, the competent authorities of the industry should promote the construction of some top-level design, standard policies, technical standards, management standards, top-level construction opinions, guidelines and norms.

Second, back to the application of the Internet of Things itself, the construction of the entire safety management system can form a closed loop of safety management within the enterprise, including security risk identification, security risk management, organizational structure, security risk assessment, emergency drill, to find security incidents, emergency disposal and recovery.

Secondly, back to the security technology system, from a large level, gradually improve the construction of our security technology capability at each level of the edge of the cloud pipe.

  • The end side, the corresponding technical system construction, with some new technology, the corresponding safety technology for further improvement;
  • On the terminal side, there will be lightweight security protection solutions, and corresponding product incubation and application;
  • On the network side, there are different security technology protection contents for different levels of the Internet of Things. For example, in the 5G network environment, how to make use of the security performance improved by 5G itself, and how to build the entire security protection technology system in the application process of 5G+ Internet of Things.

According to different security protection objects and different Internet of Things application scenarios, to design security technology system, such as data security, whether to protect personal information, or to protect the enterprise side of the Internet of Things application business data, production data.

Therefore, classification or classification should not be carried out to build the security technology system, but to build a relatively perfect technical system from the end, cloud and platform side.

Zhou Zhijian: For security, I have a concept called 1+1+N, that is, a one-sentence security architecture + a security ERP+N security products. The difference between the security of the future Internet of Things and the digital transformation of the current industrial Internet of Things lies in the addition of IoT equipment. The security of the entire link of the equipment, from production, manufacturing design to transportation and deployment, is difficult to control because it is a whole ecological chain. My outlook for IoT security system construction: IoT equipment security plus 1+1+N can comprehensively cover the security risks of the entire Internet of Things industry from the framework. Q4: How should the Internet of Things industry and the security industry interact to continuously optimize the security capacity? What help can professional security manufacturers provide?

Ke Haoren: At present, there are not many professional divisions of Internet of Things security manufacturers. Many traditional security manufacturers and head enterprises have their own industrial Internet, Internet of Things security business division or branch. But from the point of view of their own enabling, technical capabilities and technical systems are converging, and there is no great change. The driving force of Internet of Things security enterprise itself is certain, and the industry is gradually rising. Some industries predict that IoT security will continue to grow, and there may be a better market outbreak by 2025 and 2030.

I think there are two development paths: first, like the top security enterprises, or traditional network security enterprises, for the security of the Internet of Things to refine or do the iteration of the entire product line, product applications can be deeply promoted, gradually forming the first echelon. Second, from the point of view of the Ministry of Industry and Information Technology, it also hopes to cultivate leading IoT security enterprises in segmenting fields, which is a good trend for the industry.

However, to fully integrate IoT security enterprises and IoT industry, there are still many things to get through. In addition to the lack of top-level design, some device terminal providers of the Internet of Things have weak driving forces for security, either in terms of their capabilities or in terms of cost. However, Internet of Things security enterprises understand the hidden dangers of security risks and have a large driving force to invest.

Not only that, individual users and enterprise users also put forward different demands for IoT security enterprises, such as focusing on consumer IoT or back to the enterprise end, there are two big differences. This also doomed the Internet of Things security enterprises in the entire Internet of Things industrial chain to find their own positioning.

Generally speaking, in the next 5 to 10 years, including some authoritative industry forecasts, the development of Internet of Things security enterprises is still good.

Zhou Zhijian: In fact, the difference between the Internet of Things industry and the current digital transformation or industrial interconnection is that the digital transformation may only be the informationization, digitalization and even automation of the business. However, the Internet of Things will interconnect all the production equipment and become a part of the production. The security of the Internet of Things is integrated with the enterprise itself and is completely integrated with the business. This is also the characteristics of the security of the Internet of Things: without security, the products of the Internet of Things themselves will be difficult to go to the market, and security is also the key to the Internet of Things and interaction.

Therefore, in the era of the Internet of Things, the combination point of its industry and security should realize integrated operation, and security should also be digitalized and automated. In this way, their linkage, ecology can continue to expand, to the direction of health to go.

At present, security manufacturers to prepare for the line, because the era of profit has not come, it as long as attention. For example, focus on what IoT devices are currently available. Find out what problems they have.

I have three suggestions. First, there should be an evaluation standard for equipment, which can be service. Second, for the device itself does not conform to the security level, there should be a detection platform or simulation attack platform to detect it. Third, in the operation of the platform, we should follow the secure digital operation mode, which I just mentioned: 1+1+N. Many companies are also doing this now. Laying a good foundation now, so after a loT of natural will be able to catch up with a wave of good times.

Write in the last

In recent years, smart cities, industrial Internet and smart medical services based on Internet of Things technology have been launched one after another, and the market scale of Internet of Things in China is constantly expanding. Data shows that spending on China’s IoT market will increase to $313.3 billion by 2024. However, the Internet of Things is also faced with fragmentation of demand, complex and volatile technology, frequent security incidents and increased security risks, as well as multi-level problems such as high cost, unclear profit model, lack of top-level design and industry standards. This has put forward further requirements for the development of the Internet of Things, and it has become the trend of The Times to build, govern and share things with various parties.

As a leader in industrial security, Tencent has been deeply engaged in security research in frontier technologies such as the Internet of Things. In terms of Internet of Vehicles, we summarized the laboratory’s experience accumulated in Internet of Vehicles security over the past four to five years, and released SYSAUDITOR, a penetration test assistant platform tool focusing on automatic safety baseline audit of embedded systems, which can detect 90% common safety problems. In order to promote the standardized development of the industry, the international standard “Data Security Requirements for Heterogeneous Devices in the Internet of Things” led by Tencent has successfully passed the review and approval of the International Telecommunication Union. In terms of ecological construction, we jointly build an innovation research and development center with Theil Laboratory to escort the safety of the Internet of Things industry. In the future, Tencent will continue to open up its security capabilities and build a prosperous IoT industry ecosystem.