Michelle Kradolfer, Internet of Things Technical Officer, Secured by Design discusses her new role with Security Journal UK.
Can you tell us more about your background in security?
I started off by undertaking a Bachelor of Socio-Legal Studies at the University of Sydney. It was here that I first got introduced to the field of criminology, sociology and law. I’ve always had an interest in cyber-crime and cybersecurity, but more specifically, how to protect children online. I covered this at the University of Sydney. However, it is difficult to break into the world of cybersecurity without an IT background. I therefore spent time trying to figure out how a non-technical person like myself could break into it.
I completed a Master’s degree in Criminology a few years later and I also did an internship at Interpol – that’s where I really got interested in how cyber-crime impacts countries and people on a global scale. That experience really solidified how I felt and I knew I needed to get into the world of cybersecurity.
After my stint at Interpol, when I was actively trying to pursue a career in this field, I realised I needed to have something that would help me get my foot in the door. I completed a MSc Cybercrime and Digital Investigation at Middlesex University and it was fascinating to learn the different types of cyber-crime that are out there and what is actually happening in the UK.
During this time, funnily enough, I actually found the Police Digital Security Centre (PDSC) via Google search and I remember emailing them saying, ‘do you have space for a student to do a placement’ and they said, ‘sure, why not come for an interview!’ Once my placement ended, the PDSC asked me to give them a call when I had finished my masters and that’s exactly what I did. They encouraged me to apply for the Cyber Development Support Officer role and then in 2021 I was promoted to Cyber Development Officer. Now, I have switched over to the world of IoT.
How have you found the transition between the two roles?
Quite smooth actually. In my previous role as Cyber Development Officer, the focus was around giving support and advice to UK SMEs on how to protect themselves from cyber-crime. The advice includes what to do with IoT devices that many people have at home, so it’s now just a bit more focused on one area and not the whole umbrella.
It’s been an easy adjustment to go through and this role is more technical than the one before. As I look ahead, my role is going to largely be focused on trying to get companies that have IoT products to go through our accreditation scheme.
The IoT landscape has developed drastically in the UK over recent years. The number of internet connected devices across the world has increased to 35 billion and I think that number is going to be rising even more in the next couple of years. I think the prediction is 75 billion by 2025. I can see this number being achieved and perhaps exceeded; as a result of the pandemic, most people have to work from home and that means they have bought more devices and that more things have become smart.
With everything becoming more connected to the internet, we’re going to have more devices at risk, particularly as many IoT products are not really produced with security in mind. Typically, they’re built for convenience. More and more, I think consumers are taking into account what is happening with their data when they are using IoT devices. They’re thinking more about security than ever before.
What are the key cyber-threats facing IoT devices in 2022?
Definitely phishing and malware attacks; I think that’s the thing we have to keep in mind as we look ahead. The old tactics of cyber-crime are here to stay and, sadly, they are still very successful. I imagine that the recorded number of hackings will continue to increase.
It’s all to do with the security of the device itself; if there is a weak point and the device is interconnected with a network, the situation can become very serious, very quickly. I think there was an example where an American casino had a fish tank with an IoT device fitted – that controlled the water temperature and the feeding – and hackers managed to infiltrate the casino’s network through that because it was connected to the internet.
Another example was an apartment complex in Finland that had smart heating and water systems; hackers were able to find a vulnerability in the software and shut down the entire system for almost two weeks. It’s scary to think that with poor security, that could be replicated on a smart city scale.
Can you tell us more about Secured by Design’s ‘Secure Connected Device’ accreditation?
Secured by Design is known for being the official police security initiative that operates an accreditation scheme in the UK. In these modern times therefore, it was a natural move to include IoT products in the scheme, particularly as a lot of doors and windows have alarms and other IoT aspects; we thought it would be good to expand, especially given the work that the government has been doing around IoT devices.
Ultimately, we created the Secure Connected Device accreditation in-line with government legislation to ensure that manufacturers can come to us and become certified and that customers can be provided with security assurance.
Manufacturers can get tested by our third party partners including IASME, BSI and UL and then come back to us for their Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieving the relevant IoT standards and certifications.
In 2018, the UK government published the first Code of Practice (CoP) for the Internet of Things. The CoP – which was developed by the Department of Digital, Culture, Media & Sports (DCMS) – sets a benchmark for security for manufacturers to follow when developing IoT products for the UK market. This is now being influenced by ETSI EN 303 645 and other IoT related standards.
If an IoT device has the word ‘Admin’ as a password, which happens quite a lot, the government wants to be able to ban this occurrence and allow consumers/security researchers to, if they find a flaw in the software, be able to report defects back to manufacturers. By obtaining the Secure Connected Device accreditation, I think consumers can be provided with a sense of confidence in what they are buying. Moreover, it enables manufacturers to say, ‘we have gone through independent testing and yes, we can assure you that our devices are secure.’
I encourage everyone to find out more about the Secure Connected Device accreditation by visiting: https://www.securedbydesign.com/Internet-of-Things
This article was originally published in the May edition of Security Journal UK. To read your FREE digital edition, click here.