Published 19/08/2016 | 00:00
The clichéd scenario features the utopian techie genius – a confident extrovert – and his or her dystopian counterpart – a paranoid introvert working in Security – fretting about risk.
"Come with me", says the utopian Wonka, "and you’ll be in a world of pure imagination. A world powered by cloud and mobile and enquiring young programmers like Charlie here, and it will be live tomorrow afternoon". "You want to what now?" asks Dr. No in Security, nervous and full of questions.
A very long conversation begins. But in the IT world, there are qualifications and rules and policies and standards, a lot of best practice and a growing maturity around the governance (and budget) needed to keep you secure enough.
The complex IoT ecosystem
In the Internet of Things world (also known as 'the world' before it was rebranded) it's more complicated. Devices and sensors combine with software and connectivity, making the operational services in the physical world powerfully programmable – and not just socks that pause Netflix when you nod off.
The IoT value chain is complex. The interdependencies between different actors building and using IoT services will be amorphous. The level of trust deserved by an actor is unclear in the absence of standards and validation. Even the most conscientious developer will write bugs, or as has been seen recently with mobile battery checking, a software feature that may be used for unintended and intrusive purposes. The race to market and the potentially transient nature of players, in line with the boom or bust of a fast new industry, will result in junk and rust within the IoT ecosystem, abandoned or co-opted devices and poorly managed web services presenting an ever increasing combination of new toys for making mischief. There's a sample of this in a Texas project that uses drones to snort up information on vulnerable IoT devices.
Think of the citizens
For the citizen, the stakes are high. Cyber-attacks on IT are of course damaging, costly and inconvenient to the online aspects of our lives. Cyber-attacks on Operational Technology on the other hand (like water and electricity services or transport infrastructure) impacts real automated things in the world. As smart city and smart town initiatives look to improve the quality of citizen lives through automation, orchestration and monitoring, the threat surface of the cyber-attack extends as a consequence.
Consider the example of a wireless vulnerability that lead to the recall of 1.4M Fiat Chrysler cars, where the steering control can be taken away from the driver:
Consider medical device hacking, making them a vector for assassination. A Homeland Security report concluded 300 medical devices made by 40 companies had unchangeable passwords that could allow someone to log in and change critical settings. A medical device becomes a weapon, aimed at one or all who benefit from it.
Consider 'smart' devices as more ammo in the construction of botnets, with a refrigerator used as part of a spam attack, according to a Proofpoint report.
Walking the fine line between technological advancement and security
Hoping everyone in the value-chain is responsible, competent and lucky is not a strategy. In his excellent report for the Department of An Taoiseach 'Getting smarter about smart cities: Improving data privacy and data security', Prof. Rob Kitchin notes not only the need for security by design, where security is built into systems from the outset, but also the on-going commitment needed to ensure cybersecurity for the full life-cycle of enduring systems. He proposes a multi-pronged approach, blending market, technical, governance and management, policy, regulatory and legal solutions: a lot of stakeholders and competing interests. The challenge summarised by Kitchin is to "chart a path that is neither so luddite that no developments can occur, nor too boosterist or scare-mongering that fundamental values…are sacrificed".
The Dr. No and Wonka conversation continues. I’m looking forward to hearing better discussions from the experts at the InfoSec Conference on November 15th.
Andy O’Kelly is Chief Architect at eir Business. In that role Andy provides vision and direction on emerging business and technology trends, and promotes eir solutions to key customers. You can read more of Andy’s blog posts on the eir Business blog https://business.eir.ie/blog-author/andy-okelly/