Granted, it’s unlikely that anyone would be sending a car an email with a malicious executable, but that doesn’t mean there aren’t threat vectors for hackers to exploit. However, because this so-called “Internet of Things” (IoT) is still in its infancy, the security community does have a chance to build in new and better approaches to security, to head off big issues at the pass.
“We don’t have to repeat the same mistakes we made when PCs were rolling out in the 1980s,” said John Pescatore, the former Gartner analyst who is now the director of emerging security trends at SANS Institute, speaking to Infosecurity.
Pescatore outlined the issue as one that the industry has not faced to date at any scale. “Today, most IT is all bought by the CIO organization and they have teams of people who support the software and the hardware, and when the patch comes out the IT team pushes it out,” he said. “We also have a second phase of operational technology, such as SCADA, power, cash registers and kiosks that run on software. That’s not bought by IT but there are teams that are responsible for it. But in IoT, when eyeglasses, automobiles and so on are all bought with embedded computers and software, consumers have no idea of who will support it and maintain it.”
For instance, what happens when the OS inside a Ford car or residential smart grid meter needs to be replaced or upgraded? How can the industry as a whole keep ahead of evolving threats without an efficient way to patch vulnerabilities? “The goal here is to raise the bar a whole lot, because it’s so much harder to update a pacemaker that’s implanted in a person or upgrade the OS in a windmill that’s been placed on an iceberg,” he explained.
Pescatore said that fortunately, there are hardware-based security solutions that can now be leveraged, like the Trusted Platform Module that’s built into X86-type platforms and mobile devices with ARM architecture. Also, Intel’s new low-power processors leverage hardware security to make it easier to do encryption.
“It’s really important that we learn from the mistakes and take advantage of new security capabilities that have arisen,” he said. That also means moving away from dependency on putting software on the endpoints. “That hasn’t worked for 20 years, but it certainly has sucked up a lot of money,” Pescatore noted. “We have to build more secure endpoints, and make the communications themselves more secure. And besides, it won’t make sense to put $20 of AV software on every pedometer out there.”
Another factor in IoT’s favor is the fact that a single chokepoint exists in the form of wireless networking. “Think about all of the ways to get in trouble on a laptop—USB, CD-ROM, wired Internet connection, wireless router—there are all kinds of things,” he said. “With IoT, it’s all wireless. Wireless carriers become the single chokepoint because everything flows through them, so I think we’ll see the wireless data carriers playing a major role in security.”
Another aspect is the fact that people using tablets and smartphones are accustomed to getting apps from an app store. “They don’t really expect to use third-party apps—and already, in cars, Ford provides its own apps,” said Pescatore. “So manufacturers, rather than saying it’s all up to you, consumer, will need to build in stringent app-vetting processes.”
The consequences for not building a better framework than exists today for PCs and mobile devices can be predicted. “Another thing we’ve learned in roughly 30 years of using the internet is that the big guys find vulnerabilities and they crash it for fun, at first,” he said. “And we’ll see that in the internet of things, including denial of service and general mischief. But the second phase is cybercrime.”
Every credit card payment triggered through a smart thermostat’s usage communications is a potential issue, he explained. “Criminals can gain visibility as consumers pay the electric bill, or uncover Social Security numbers via pacemakers. These dangers could be huge when you think of the penetration we’re expecting and the number of automatic payments that will be set up for connected devices.”
There’s also a nation-state concern. For every server-side application for car based systems, oil rigs and other critical infrastructure within the IoT ecosystem, there’s a door to stealing intellectual property.
SANS Institute is spearheading an effort and summit to help manufacturers and vendors learn from the past and take a long hard look at security during the development phase of internet-related products. The idea is to bring together some of the leading minds in security, as well as other practitioners from a wide cross section of industries and company sizes, to raise awareness of the need to create a secure foundation from the start.