CTB Panel of Experts: cloud security
With the help of our Panel of Experts, CTB looks at the growth of the Internet of Things and the potential benefits and pitfalls of connected devices
Much is made of the incredible transformation potential of the Internet of Things (IoT), but in many ways it’s simply an extension of the original network. Gartner suggests that there will be 20.4 billion connected devices by 2020. Connected devices are now everywhere, from home appliances and cars in the domestic setting, to industrial controls, body worn sensors and security systems for business - even in the defence sector. It’s not just the smart thermostats and light bulbs you might use at home: field operatives are using increasingly intelligent wearable devices to monitor activity like drawing a weapon, and body cameras are one of the most talked about changes in civilian defence. However, just as BYOD left many organisations with new vulnerabilities, so do the sensors and remote devices that make up the IoT.
Gabe Chomic outlines a ‘cynical and plausible’ scenario to outline the idea of framing IoT as a technology that multiplies the potential of human achievement or fallacy. Consider walking down the road to your local station, pulling the alarm and watching the chaos as the alarm blares and the staff try to validate it before they have to evacuate.
Tomorrow, the same person could pull the same stunt, but the systems could identify the location the smart switch was pulled, pull the location from the CMDB, access the local CCTV and give the control room a good view. The trained operators present could handle the situation appropriately. More likely, the moment that alarm is tripped, alerts go out to all neighbouring alarms in the Community Metro Network (CMN). Approximately half of those alarms are miscalibrated, including some internal ones in the station, and the ensuing cascade failure state escalates. Unfortunately the CMN is only lightly staffed nowadays. The station is evacuated, authorities of various calibre called in and the alarm system operator given a firm talking to. Nothing more can be done as this type of failure is not covered under standard contractual terms.
Good design, security-focused or not, should be able to prevent something like the above from happening. But it should also be able to prevent it from happening today. Today, security failure is rife - as the latest breach headline will testify.
A bit of both?
As Gabe Chomic points out when we posed the Security Risk or Brave New World question to ISSA UK, you cannot pigeonhole a class of technology into the mental frame of security, no matter how polarising the question. With the IoT as much the result of the evolution of technology as information security itself, the two must be viewed in balance - ‘IoT is both a security risk and a pathway to a brave new world’.
Lets look first at the tangible benefits - potential innovation, alternate technological applications, the very concept of cross-trust machine-to-machine negotiations. We can now gather vast volumes of rich new data in real time, improving our ability to make informed decisions and even immediately react through direct control of connected devices. In fact, as Simon Daykin suggests, we are now at a point where open source operating systems, IP networking hardware and the computing processing capacity is so ubiquitous, stable and low cost it can easily be technically integrated into virtually any system with minimal impact on price.
On the flip side, whilst the hardware and software cost is insignificant, the critical factor, often stressed by companies such as Leidos, is recognising the investment required in securing the system and the application. Modern IoT technology is often based on the same highly capable and secure underlying software as our mission critical systems; however, the pace of implementation, the time-to-market pressure and the less rigorous engineering processes often mean security is not considered properly and the secure capabilities are not included.
Paul Parker agrees, highlighting that, just as BYOD left many organisations with new vulnerabilities, so do the sensors and remote devices that make up the IoT. Virus protection and network monitoring are critical and Parker says that defence organisations should look at whitelisting or blacklisting devices in line with what they’re required to do.
Realistically, the risk from an IoT device is quite limited. If a hacker has control of the Ministry of Defence thermostat, they might be able to make the office environment quite uncomfortable, but they won’t necessarily be able to access server files. The most significant risk comes from IoT devices being used as botnets - and this can also be mitigated. But how can this be done?