One thing about the computer industry – we use acronyms, and lots of them. The one that’s been generating the most buzz lately is IoT, or the Internet of Things. As you’re no doubt aware, IoT refers to the network of objects embedded with electronics, software, sensors and connectivity.
The phrase IoT is a relatively recent addition to popular lexicon. But, the issue of securing the identities of very large collections of connected systems is certainly not new. It’s been with us for decades. This security challenge is as close to you as your Internet connected routers, cable boxes, power meters, and environmental/security control systems.nd that means the big question is now this: who is responsible for the security of these devices?
For example, if any of these critical devices should be melted down by a cyber attack (by erasing or corrupting the firmware), who should be accountable for bringing them back up? And how would your life be impacted if your Internet, power and cable were all suddenly knocked out?
Recently, we all got a wake-up call from well-publicized incidents involving Insteon and Chrysler. These hacks may seem like anomalies. The true story is that the lack of automated patching of embedded systems, and generally lousy IT security services for public IoT systems, is an epidemic. It has the potential to make life miserable in ways that were seldom considered only a decade ago. Perhaps we should begin referring to IoT as the Insecurity of Things.
What’s the Solution to IoT Security Vulnerabilities?
In my opinion, it’s time for the federal government to step in and provide guidance on safety issues, such as Internet connected cars. Automobiles should be required to keep critical systems like the engine, braking and steering electrically isolated from publicly connected systems.
This is the same class of problem that surfaced when a hacker connected to the flight control system on a plane by hooking his laptop into the entertainment system under his seat. Lesson: systems isolation and protection from unauthorized modification is not an option; it’s a hard non-negotiable requirement for all critical infrastructures.
Nothing that could affect the safety of human beings should be connected to the Internet unless significant security investments are made in network connectivity design and infrastructure.
As to the existing large infrastructure of insecure systems? I propose that the infrastructure owners sit down with their vendors and insist that the next wave of hardware updates implement secure and remote patching by design. I would also stress the necessity of managing privileged identities within those devices.
Her’s another suggestion. Those who resell IoT-based hardware should ask their vendors serious questions about patching strategies. The resellers should demand to see penetration testing reports of devices before carrying a vendors’ goods.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.