Every once in a while, two events serendipitously occur that highlight the consequences of not paying enough forethought to a security issue that could have devastating consequences.
At the Black Hat USA 2016 conference it was once again shown how vulnerable connected cars are to being hacked. At the conference this week, Charlie Miller and Chris Valasek once again demonstrated how they could seize control of a Jeep Cherokee; except this time at a much higher rate of speed.
As a highly visible instance of the potential of the Internet of Things (IoT), the connected car has emerged as a widespread initiative involving technology leaders such as Google and IBM to automotive giants such as Ford and BMW.
Connected cars are arguably just one of many such initiatives. Interest in IoT projects is up across the board. Unfortunately, history has shown that security is often an afterthought when it comes to pursuing the latest in IT innovation. That’s why the publication this week of guidelines as it pertains to the “Networks of Things” by the National Institute of Standards and Technology (NIST) is so timely. The document comes on the heels of the release of an emergency cybersecurity response plan by the White House.
Both documents make it clear that IoT security is about both technologies and processes. Everything from the sensor and the communications channels employed to the backend infrastructure where data resides is in one way or another vulnerable. While technologies such as firewalls and encryption are clearly crucial in making IoT deployments secure, organizations also need to make sure they have processes in place to ensure those IoT deployments remain secure. After all, cybercriminals have shown time and again how patient they really can be.
Of course, the bigger issue is what’s at risk in many of these IoT deployments. It’s one thing to have data stolen; it’s quite another matter altogether when lives are potentially lost. That potential danger goes way beyond hijacking connected cars. Critical infrastructure spanning everything from air traffic control systems to the electric grid are at risk. The more these systems become part of the “Industrial Internet” revolution the more they become high value targets for both cybercriminals and cyberterrorists.
Alas, it’s probably only a matter of time before there’s a catastrophic event relating to an IoT security issue. Many of the operations people that specialize in embedded systems have always had a healthy respect from security. But as more of the devices and systems they manage find themselves attached to IP networks there will be confusion over who on the operations and internal IT teams is responsible for what.
Naturally, whenever there is confusion over roles, it’s not uncommon to see responsibility for security to fall between the proverbial cracks. Most organizations would be well advised to address IoT processes before actually trying to build and deploy anything. But more than likely such an approach is likely to prove to be the exception rather than the rule. Many organization are already building IoT proof-of-concepts (PoCs) that don’t address fundamental security issues.
In the meantime, the good news is there is likely to be more demand for security expertise than ever. The bad news, of course, is that the attack surface that needs to be defended is about to get a whole lot wider.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.