Gaining awareness of devices residing on corporate networks is the first step to building a viable security architecture for the internet of things. The problem? Most CIOs don’t know what’s on those networks.
But CIOs often aren’t aware of all of the devices that make inviting targets for hackers. “One of the fundamental issues that faces the internet of things is knowing that they’re there and giving them some identity,” says Gartner analyst Earl Perkins. “You can’t manage what you can’t see.”
Factor in the hiding-in-plain-sight machines and BYOD devices, as well as emerging technologies that control office light fixtures, temperature and even window tint, and it’s easy to see how vetting what’s on the network will only get harder for CIOs. Securing internet of things is a primary focus of this week’s Black Hat USA conference, whose organizers told the Wall Street Journalthat they received 50 proposals for seminars related to infiltrating devices, including how a computer worm could spread smart lightbulbs, how to hack medical systems, and a new kind of ATM skimming device.
Matt Kraning, CTO of security software startup and DARPA spinoff Qadium, says CIOs are focusing on locking down devices operating on the network as a result of BYOD policies while the mundane teleconference systems are ignored. There are tens of thousands of such unified communications and collaboration systems installed in executive boardrooms around the world. These systems use dated protocols, such as Session Initiation Protocol (SIP), aren’t encrypted and are rarely kept current on patches.
Imagine this scenario: The entire C-suite huddles with the board for their quarterly meeting. The IP-enabled video conferencing system doesn’t work so they call IT in. Turns out the system was properly blocked by the corporate firewall, consistent with corporate policy. But rather than cancel the meeting, the execs order IT to break through the firewall to get the system to work. The big no-no occurs when the IT team doesn’t put the firewall back around the equipment, leaving the system open to an enterprising hacker who may eavesdrop on executive meetings.
“They grew up when the phone was just a phone,” Kraning says of executives who don’t realize the threat that such systems pose. “Most have no insider awareness of IoT and that persists the myth that the problem is not already here.” He says mail servers are also potential threat vectors.
IoT security: a victim of market economics?
The enterprise is naturally only a subset of the broader world – one in which the increasing drumbeat of connected devices poses an even greater threat. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016 and will reach 20.8 billion by 2020. Protecting those devices, from smart cars to smart hot water heaters to smart TVs, remains a big problem partly because of a misalignment of economics, says security expert Bruce Schneier.
PCs and cell phones churn every 18 to 24 month so the companies that produce them have financial incentive to constantly refine the security of those devices. But people replace cars every 10 years, refrigerators every 20 and thermostats “never,” says Schneier. “There exists no mechanism to patch them because it’s not economically viable for third-parties,” Schneier says.
The problems will mount as new devices emerge and they, along with the sensors and software used in conjunction with them get cheaper and last longer. “You don’t have the same ecosystem of upgrade in terms of patching, devices and operating system — none of these things that in a computer world makes them better,” Schneier says. “When your furnace becomes part of the IoT and they say you have to replace the hardware on your furnace every two years… people are not going to do it.”
Assigning fault also plays a big hand in the complex market dynamics. When a perpetrator infiltrates a network through a software vulnerability, we point to the flawed software. But with connected devices forming what is essentially a digital daisy chain, it is difficult to attribute fault. “If you’re refrigerator interacts with your router and hacks your Google account, whose fault is it?” Schneier says. “The market economy actually works against securing IoT.”
Such security threats can snowball quickly, as Schneier wrote in a blog post last week: “Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The internet of things will make exploitable vulnerabilities much more common.”
An IoT security model
Qadium is tackling the IoT security problem with “global internet sensing” software that scours hundreds of terabytes of data generated by devices configured by a given organization. Indexing a hundred different protocols, calling out to all of the devices that reside on a customer’s network and gauging their responses for anomalies. It finds dark spaces in corporate networks CIOs didn’t even know existed.
“We look at the entire internetperpetually and turn it into an analytics challenge,” Kraning says. The goal is to say, “We know where all devices of interest to a company are.” Qadium’s customers include the U.S. Cyber Command and the Navy.
According to Perkins, who says Qadium competes with Bastile Networks, Great Bay Software and ForeScout Technologies, such technologies play a useful role in helping CIOs discover what’s on what he calls the “network of entities.” However, the challenge doesn’t end there. A second set of technologies is required to isolate and neutralize malware or other network incursions. Securing connected devices, he says, requires a multi-layer approach that involves providing the proper policy enforcement for existing devices and those that will come onto the network in the future. This is no trivial task.
“We’ve reached an era in computing now where we are able to project a pervasive digital presence into the edges of business and into the edges of life — on the human body, in the human body, in the house, in the car,” Perkins says. Gartner estimates spending security technologies to protect the Internet of Things will top $840.5 million by 2020.
What does the future of IoT security look like? Schneier, who has closely watched the cybersecurity market evolve over the last three decades, says the federal government must provide regulatory oversight into cybersecurity by establishing a new federal agency – ideally a Department of Technology Policy – to regulate the industry, similar to how the FCC was created to regulate airwaves and the FAA guides airlines. For now, Schneier says the government remains woefully behind on IoT awareness.
Yet Schneier remains cautiously optimistic about the industry’s chances to solve the complex challenges – like it always has – over time and through trial and error. The solutions “will be like everything we do in computer security to date — a hodgepodge of things that work pretty well,” Schneier says. “We’ll muddle through, screw it up and get better.”