Lots of people are talking about the “Internet of Things” and what it means to the Internet’s future. Not all of these comments are good.
Consider that Government Computer News (GCN) ran an article titled “The Internet of malware-infected things” discussing body cameras that were found to be infected by the Conficker worm, from the factory. Along the same lines, Federal Computer Week commented “The Internet of Things leaves public and private computer systems essentially indefensible, and no amount of security guidance can provide salvation." In the article NIST fellow Ron Ross commented “You can comply perfectly … and still have a very vulnerable infrastructure because of the complexity.”
EY weighed in, mentioning that “70% of the most commonly used IoT devices contain vulnerabilities” and “effective cybersecurity is increasingly complex to deliver.” Additionally, Gartner's view on the topic can be summarized in the following remark “the Internet of things will change cybersecurity forever” and “redefines security by expanding the scope of responsibility into new platforms, services and directions.”
Clearly a lot of smart people are thinking about this while most of us are still trying to figure out how to get our cell phone to talk to our car so we can answer a call, hands-free, while we’re driving. Yet, these two problems are related.
Why is IoT such a big deal?
Internet of Things is a result of computing and network connectivity becoming incredibly inexpensive. With the rise of flash memory in the 2000s, it became possible to put computing, memory, storage, and connectivity onto a single chip, or a couple of interconnected chips. Thanks to smartphones, the price of these chips has plummeted, so the computing capacity that cost thousands of dollars in the 1990s is now available for less than a hundred dollars. These platforms, in turn, are capable of running full operating systems and doing the same type of computing as the personal computers of a decade ago. No, they are not as powerful as your desktop gaming rig with three screens, but they are every bit powerful enough to connect to the Internet and send and receive data from other Internet-connected systems.
All of this computing capacity and capability means that it is now cost-effective to interconnect everything. When one considers the cost of labor, it’s not just self-driving cars or digital X-Rays. It’s interconnected light bulbs. No, you don’t need these at your house. However, in a stadium, where changing a single bulb can cost a thousand dollars in labor, knowing which bulbs are on the verge of failure, in real-time, can save millions of dollars over the years. IoT is self-monitoring light bulbs and pipes. It is bridges that monitor their own strain and can tell operators when maintenance is due. It is electric meters that not only know how much energy a house is using, but also whether that energy is being used to cool the house in the heat of the day or to do laundry that could be postponed until evening time when energy is more plentiful and less expensive.
Why is IoT so vulnerable?
The problem with IoT is that it involves putting computing capacity everywhere, and while such inexpensive computing capacity is easy to distribute, it is just as hard to maintain. A simple connected device can contain millions of lines of code, for the operating system, network stack, communications protocols, and of course the application running the device itself. Moreover, it is not cost-effective for manufacturers to strip out unused components, since those components might be needed down the road. When gigabytes of flash storage are available for a couple of dollars, why spend the money to minimize? It’s simply not the best use of scarce engineering resources, when those resources could be spent on new capabilities instead.
So, the result of this is that IoT means that we have an explosion of connected devices, running large, complex software packages, and which are unable to be maintained or patched over their lifetimes. Since many of these devices use the same Windows, LINUX, and Android operating systems used by mainstream computing devices, they are going to have the same vulnerabilities and be susceptible to some of the same attacks. It is inevitable.
Why not just isolate the critical stuff?
So if we can’t secure it, can we isolate it? On the one hand, we can definitely try to isolate IoT devices, and a proper layered defense encourages using the network to protect IoT devices and contain compromised devices and the damage that can come from them. However, the power of connectivity is in the connection, not the isolation, so this is always going to a tension in this approach. Just ask the power company: while it is critical that plant control systems be isolated from the Internet and corporate networks, it is just as critical that these systems be able to communicate across those boundaries so that operational alerts can be communicated, and business information like power usage and billing, can be transferred where it is needed. There is no such thing as an isolated, connected system. Only a hardened system where the connectivity is protected in order to reduce the risk.
Similarly, we are going to find that the utility of IoT devices will be so great that the business value of connectivity almost always outweighs the risks. So, we can’t put the genie back into the bottle. We must control it, instead.
If we can’t isolate, then what should we do?
Just as we can look to our industrial colleagues to better understand the challenges of protecting sensitive networks, we can also look to them for ideas on how to deal with these challenges. Electric power plants use data diodes and gateways to connect sensitive plant control systems to business systems, while also establishing a clear security boundary and detection perimeter where security protection can be provided and monitored. In medical circles, the joke goes that obsolescence and criticality go hand-in-hand for computerized systems. In other words, the most obsolete computer in the hospital is controlling the most critical hospital IT system or diagnostic device.
In all of these cases, we must rely on controlled connectivity so these systems are connected, or interconnected, but also protected with preventive, detective, forensic, and audit controls that:
- Make the connected system difficult to connect to and hopefully difficult to compromise, in the first place.
- Can detect when the connected system is compromised or is otherwise behaving in an abnormal way.
- Can supplement the logging built in to the connected device (since oftentimes there is little to none already there) so that investigators can understand the operation of the system.
- Can support periodic audits of the system to gather evidence that it is operating as intended and is not compromised or behaving maliciously.
By putting these controls in place around our IoT devices, we can gain the ability to use them in a secure context, even if we cannot actually secure the devices themselves. It is all part of treating security as a system, rather than just a device.
We are just scratching the surface of what connected devices can give us in terms of new functionality and solutions to problems that we did not even know existed. However, we cannot count on these devices to be secure on their own. We must treat security as a systems problem and use connected devices in a manner that provides for their protection.