Security standards for HK's smart city blueprint | 香港智慧城市藍圖的保安標準

Security standards for HK's smart city blueprint

Imagine a Bluetooth-enabled toy or a Wi-Fi-enabled monitoring camera which are supposed to bring joy to kids and safety to homes are turning evil one day. They become a tool for hackers to collect your images and other personal information, and then hold you for ransom.

This is not a Hollywood movie script. This is already happening around the world. Children's latest gadget Cloudpets and Cayla were reported as targets for hackers because their product and software design can be easily compromised. Reports by CNN, NYPost have reported that Cloudpets could leak voices, photos and location information. BBC also has reported that the Cayla doll also exhibited the same potential vulnerability to hacking.

When IoT becomes more pervasive and millions of new products become connected to the Internet, there will be more vulnerability found and cybercrimes unfolded from these IoT devices. Viruses, Trojan horses and ransomware are not new, but with IoT, they could easily perpetuate to the new things that promise to be connected, smart and Internet friendly.

Bringing standards to HK

At the Smart City Consortium, we believe the best practices and standards like ISO/IEC 15408-1:2009, also known as the Common Criteria, should be adopted in the HKSAR Government's upcoming smart city blueprint. Furthermore, the Government through the OGCIO should also consider building its own IoT security certification centre that follows the Common Criteria.

The adoption of this standard is expected to provide evidence and traceability of the IoT-related products. It also helps these products conform to minimum security standards and formulate a governance framework suitable to combat any potential risks in data management.

Consumer electronic products may not require the highest level of certification, as compared to the enterprise systems such as payment terminals or mission-critical sensors-based systems. It is nonetheless necessary for the Government to start thinking about the need for certification and the associated talents.

Another area the Government should consider is formulating a strategy in Evaluation Assurance Level (EAL). EAL is a numerical grade assigned following the completion of the Common Criteria security evaluation. Consisting of seven levels, the EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

EAL can also help to protect Bluetooth-enabled devices, which are also adopted in smart city initiatives. With the new Bluetooth 5.0 standards providing higher performance, wider reach and better connectivity, it is essential for associated attacks like Bluejacking, Bluesnarfing or Bluebugging to be minimized with the EAL certification.

CC adoption in the region

In Taiwan, the ISO/IEC15408 Common Criteria has been adopted since 2009 and in China a similar standard has also been adopted by the China Information Technology Security Evaluation Centre.

The adoption in Taiwan and China demonstrate the need to raise standards of information security as a result of the proliferation of smart cities initiatives and IoT technologies.

The critical question that remains to be answered is not why, but how Hong Kong can adopt this certification. Who within the Government should enforce the certification of IoT-related products? Is it the responsibility of a particular Government department like the Electrical and Mechanical Services Department or a third-party body? These questions need to be further discussed.

*The article is published in the Computer World on 11 April 2017 and Smart Vision on 29 May, 2017. 

香港智慧城市藍圖的保安標準

一件具備藍芽功能的玩具，理應為孩子帶來歡樂；一部可連接無線網絡的相機，同時也要確保家居安全。然而，這些裝置亦可能帶來橫禍，因駭客可利用這些裝置，獲取你的影像及其他個人資訊，並向你勒索。

這並非荷里活電影情節，而是已發生在全球每個角落。「雲寵物」（Cloudpets）及「凱拉」（Cayla）這兩款近期熱門的小童玩具，由於其產品及軟件設計容易導致資訊外洩，據報已成為駭客的目標。有線電視新聞網及《紐約時報》已指出「雲寵物」能洩露聲音、照片及位置，而英國廣播公司亦稱「凱拉」公仔存在駭客入侵的潛在漏洞。

當物聯網（IoT）日趨普及，成千上萬的新產品連接至網絡，隨之而來的是更多的漏洞及網絡罪案。雖然病毒、木馬及勒索軟件並非新事物，但由於新產品的研發原意是為了連接用戶、提供智能及便利的網絡服務，物聯網裝置可讓病毒等輕易地存留在這些新產品中。

為香港制訂標準

智慧城市聯盟認為，良好作業模式及標準如ISO/IEC 15408-1:2009（即通用條件，Common Criteria (CC)），可應用於香港特區政府將來的智慧城市藍圖。同時，政府亦應考慮透過政府資訊科技總監辦公室，成立物聯網保安認證中心，並按通用條件運作。

採用上述標準，相信能就物聯網相關產品提供證據及線索。此標準亦可確保產品符合最基本的保安水平，並制定一個適合對抗任何數據管理風險的規範架構。

與企業系統（如支付終端或關鍵任務感應器系統）相比，消費者所用的電子產品，未必需要最高等級的認證。然而，政府亦須開始考慮是否需要設立認證，並培育相關技能的人才。

另一方面，政府亦應考慮就評估保證水平（Evaluation Assurance Level, EAL）制定相關的策略。評估保證水平就是系統經通用條件評測後所得的評級。水平共有7級，只指出該系統通過哪一級水平測試，而不會就系統安全進行評估。

在智慧城市中所應用的藍芽裝置，亦受評估保證水平保護。目前，藍芽已發展至最新的5.0代，其性能更高、覆蓋範圍較廣及連線能力較佳。獲得評估保證水平認證後，能有助減輕藍牙攔截（Bluejacking）、藍牙漏洞攻擊（Bluesnarfing）或藍牙竊聽（Bluebugging）等相關攻擊。

鄰近地區採用通用條件的情況

台灣自2009年起已採用通用條件ISO/IEC 15408。在中國，中國信息安全測評中心亦採用類似標準。可見，在智慧城市建設及物聯網科技日趨普及下，台灣及中國的措施反映了提升資訊保安的需要。

然而，關鍵問題並非在於「為何」採用此認證，而是香港「如何」採用。物聯網產品認證，應由哪個政府部門執行？是否應由特定政府部門，如機電工程署或第三方機構負責？這些問題需留待日後討論。

*原文刊於 《Computer World》2017年4月17日 及 《Smart Vision 智城》 2017年5月29日。