We probably see 5-10 Internet of Things (IoT) security posts or news feeds every day. I read one last week that said that “real IoT security is over 10 years away.” The article was an accounting of a panel discussion between experienced security experts so their analysis was a downer for someone like me who believes that the IoT has so much potential in everyday human endeavors. Panelist Eugen Kaspersky summarized the problem from the point of view of critical infrastructure security: “I am waiting for any government to introduce a cyber‑resilience strategy.” But then he later adds “Lawyers are late and regulators are late. Government regulators typically take 10 years to recognize a problem.”
Hopefully we will not have to wait for the government to solve our problems when it comes to security and IoT. I recommend Blake Ross’s recent security post as one review of the implications of that expectation. Ross’s article points out that security can be a paradox – solving one problem can create another. I’m okay with paradoxes that merely threaten the life of Schrödinger’s cat or provide humorous dialogue for Alan Arkin in Catch 22. But I am not comfortable with waiting a decade or unanswerable questions when it comes to security.
So I spoke with Todd Carpenter, Chief Engineer and co-owner of Adventium Labs, an R&D firm at the leading edge of critical systems engineering and cyber-security. Todd’s areas of expertise include engineering high-value, real-time, fault-tolerant, secure systems in space, military and commercial avionics, medical, and petrochemical domains. He leads Adventium's risk assessment and management services that evaluates and teaches how to evaluate security risk for cyber-physical systems and products in medical, avionics, and industrial domains. Adventium was recently awarded a $2.2M cyber-security contract by the Department of Homeland Security to “produce a cyber-physical architecture that has safety and security monitoring functions in support of DHS S&T cybersecurity division’s larger Cyber Physical Systems Security program.” Todd received the H.W. Sweatt award at Honeywell for his work on the master scheduler used in the Boeing 777 Avionics. He understands critical systems design, assurance and security at a level shared by very few. Not surprisingly, Todd is a skeptic when it comes to IoT security.
Accountable to an appropriate balance
SN: I believe that the IoT can create great value if it is balanced against reasonable risk and I believe that we have the tools necessary to achieve this balance. Clearly the more critical the application, the more robust the security required. As a case in point, if the FBI has to force Apple to show them the data from your iPhone, then the technology exists to create the right balance. Todd, you see it differently. What I am missing?
TC: I recently read the report on the Deepwater Horizon, the tragic undersea oil rig blowout in 2010. This paragraph from the summary pretty much sums it up:
“Analysis of the available evidence indicates that when given the opportunity to save time and money – and make money – tradeoffs were made for the certain thing – production – because there were perceived to be no downsides associated with the uncertain thing – failure caused by the lack of sufficient protection. Thus, as a result of a cascade of deeply flawed failure and signal analysis, decision-making, communication, and organizational - managerial processes, safety was compromised to the point that the blowout occurred with catastrophic effects.”
My interactions with the business community lead me to believe this attitude is unfortunately the norm. I’ve heard, “Our financial responsibility is to the shareholders. We don’t pay for it [lack of security], so it is not a consideration.” In other words, the risks are external. Brand value is one way that companies do pay for the externalities and some companies recognize its importance.
But the way your question is phrased actually highlights the issue:
"I believe that there is great value balanced against reasonable security risk."
What you are missing is that the value to risk ratio is not perceived the same way by all stakeholders. In particular, less responsible companies create value for themselves and manage their own risk rather than the value/risk ratios of their consumers and unfortunate bystanders. Responsible companies in an appropriate regulatory environment manage both. The avionics community, for instance, and international aviation commission manage risk to workers, passengers, and the innocent bystanders on the ground underneath the flight paths.