This year the third week of National Cyber Security Awareness Month focuses on critical infrastructure and The Internet of Things. “The Internet underlies nearly every facet of our daily lives and is the foundation for much of the critical infrastructure that keeps our nation running. The systems that support electricity, financial services, transportation, and communications are increasingly interconnected. The Internet of Things—the ability of objects and devices to transfer data—is changing the way we use technology. “(About Us, 2014)
As connectivity expands beyond computers and handheld devices to include things like household appliances, home safety systems, and even the cars we drive, the need for security – and the degree of impact should that security fail – becomes increasingly obvious…and personal. “Securing the Internet of Things represents new challenges in terms of the type, scale and complexity of the technologies and services that are required. The Internet of Things means sensitive information, such as device operation details and personal data, transitions from moving within secure networks to moving between third parties. The risks of having information travel between externally controlled appliances, customers and sensory-based technology challenges traditional, layered-protection security management.” (Peter Sondergaard – Gartner, Inc, 2014)
What Are the Challenges?
Protecting a vast infrastructire that’s constantly growing and changing to meet the needs of a population of users becoming more dependant upon it necessarily involves a certain degree of difficulty. Navigating this type of terrain obviously comes with its own set of challenges.
“1. There’s often no consistent or official software update process or mechanism.
Malware on a Windows machine eventually gets discovered, but Marc Maiffret, CTO at BeyondTrust, says there is little or no visibility into IoT devices. ‘Nobody has visibility into these devices or what is the authenticity of the firmware” if there’s an update to them.
Since many of these devices run on Linux-based platforms, he suggests that their software be managed by the open systems community, which can handle vulnerability and security updates. An IP camera or an SAN storage system, for instance, should have a regular Linux update mechanism. “They should be opened up so they are truly treated as Linux OS. Allow me to SSH into it securely” and manage it like any other Linux OS, he says.
Chris LaPoint, vice president of product management at SolarWinds, says he has three home IP cameras that aren’t running up-to-date firmware. It’s unclear if they contain vulnerabilities. “Even the setup instruction for a lot of these devices, and the configuration of security controls around them, and patching… How does that get managed?”
2. Many consumer product and other nontraditional IT vendors have little or no understanding of the cyberthreats embedded in their systems.
There’s a major disconnect between many of these embedded device manufacturers and the security community. Take the satellite terminal vendor community. Ruben Santamarta, a principal security consultant at IOActive, has found hardcoded passwords, backdoors, and insecure protocols in these devices that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations.
3. There’s often a lack of accountability for device security.
For many consumer devices, “there isn’t a clear ownership on who owns the security,” LaPoint says. “Device manufacturers say, ‘We don’t know.’ They’ve hardly thought about it.”
Some just post firmware updates on their websites, and it’s up to the consumers or users to download and update the products. “Some come with obscure instructions, and that you have to do so with a USB cable,” for example, he says. “I don’t think the manufacturers are taking ownership” of securing their devices.
4. Many devices have been improperly configured or have purpose-built features that equate to security flaws.
Many of these devices run on the same network as IT systems. “How do these devices ultimately bridge to other things on my network?” LaPoint says. “If someone sees me in my underwear” via my webcam, that’s not ideal. “But if they are able to gather personal information about me or other systems on my network… What other things can you do?” (Higgins, 2014)
Regardless of the security challenges faced literally on a minute by minute basis, one thing is certain: the Internet of Things – with its ability to provide instantaneous information to a growing number of data-hungry users – is here to stay. Protecting that data and the people who traffic it will continue to be of paramount importance in the years to come.
About Us. (2014). Retrieved from StaySafeOnline.org: http://www.staysafeonline.org/ncsam/about
Higgins, K. J. (n.d.). 4 Hurdles To Securing The Internet Of Things. Retrieved from InformationWeek: http://www.darkreading.com/informationweek-home/4-hurdles-to-securing-the-internet-of-things/d/d-id/1306978
Peter Sondergaard – Gartner, Inc. (2014). Securing the Internet of Things. Retrieved from Forbes: http://www.forbes.com/sites/gartnergroup/2014/09/25/securing-the-internet-of-things/