There’s a connected device tsunami coming. Everything from light bulbs to refrigerators to cars to industrial control systems are increasingly becoming Internet connected. Many are under the impression that this “Internet of Things” is primarily a consumer security and privacy issue. Turns out, it’s not. But what precisely will the Internet of Things mean to enterprise security managers and CISOs and how they protect their organization’s infrastructure and information?
The upcoming panel at the Qualys Security Conference, held this week in Las Vegas,- Refrigerator Spam and Other Tall Tales: Assessing the Real Internet of Things Risk for Your Organization – will aim to provide some answers. This expert panel moderated by Paul Roberts, Editor Security Ledger, includes panelists Chuka Eze, principal, Xipiter LLC; Chris Rezendes, president, INEX Advisors; Jonathan Trull, chief information security officer, Qualys; and Danny McPherson, senior vice president and chief security officer, Verisign. The panels will discuss how to spot and mitigate all of the associated risks surrounding IP-enabled things.
We caught up with Paul Roberts shortly before the show, to get a better sense of what will be discussed, and his view on the Internet of Things and enterprise security.
George: This promises to be a very interesting panel, Paul. Can you share a little about what you hope to discuss about the Internet of Things?
Paul: It’s a really great panel. The Internet of Things is this monolithic term that we in the media and marketing departments use to paint this trend with a very broad brush. It really is a bunch of different constituent technologies, some of which aren’t really new at all. Examples are embedded devices, or the cloud or sensors networks.
I think what’s new is the application of all of those things together and the big data analysis piece of it that is potentially creating a lot of value for companies. One of the things that’s going to come out of the panel is that there are a lot of industries and verticals that have been doing Internet of Things for a long time, including manufacturing, healthcare, and other industries. They’re kind of far down the road on this.
The “enterprise” is not yet, but you’re going to see the waves of the Internet of Things to start to wash over even rank and file enterprises. The question is how is that going to happen. I think there are a few different contexts or scenarios by which enterprises are really going to be forced to address Internet of Things and make it a part of their overall IT security program.
George: What are some of the technologies in place today that could easily become part of the IoT?
Paul: One of those that I think we’re going to talk about is technologies or applications like building automation, which includes everything from environmental control, HVAC controls, that are going to become increasingly smart, increasingly hooked up to remote management, cloud-based management system. Those have huge cost savings for building management companies, for the real estate owners or, if the company is in it’s own building, for the company itself. There’s a huge advantage to them.
There’s a huge intersection of building automation with Internet of Things. Everything from door locks to, again, HVAC systems to security. My sense is most companies these days don’t have a firm grasp on the systems that run the buildings in which their company’s located or the connections between those systems and potentially their own network.
We know with the Target hack, it came by way of a compromised account at a subcontractor that was involved with the HVAC and the maintenance of the environmental controls. I think that’s kind of a canary in the coalmine type of situation. I think building automation is one area where even if the company is not going headlong into the Internet of Things, Internet of Things security could really become an issue that the company needs to consider or be aware of.
George: It sounds to me that a lot of Internet of Things devices could creep onto enterprise networks in a very uncontrolled way, much like BYOD and mobile devices caught many enterprise security teams off guard.
Paul: I’ll give you a great example. I chaired a panel at an event in Boston a few weeks back called the Connected Cloud Summit that Jeff Kaplan runs. There was a gentleman on another panel — he wasn’t on my panel — but he was an executive at a small, Massachusetts-based company. It’s a family owned company. It’s been in his family for generations. This company is actually one of the leading manufacturers of commercial valves, particularly valves that are used as pressure valves in fire extinguishers and things like that.
He basically said, “Our valves are on two-thirds, three-quarters of all the fire extinguishers sold in the United States. I can look over in the corner of that room and that fire extinguisher there has got our valve on it.” That company is moving headlong into Internet of Things because they want those valves to be able to communicate up to either a larger building management system or potentially even to the cloud to a central management system to provide diagnostic information.
Now, are those wires going to be communicating using encrypted communications? Are they going to be subject to man-in-the middle attacks or wireless attacks that you and I have been writing about? That’s something that that company needs to deal with. If they don’t address it properly, then you’ve got all of these cool wired fire extinguishers in these buildings that are potential stepping-stones to attack.
That is one scenario. It’s not a problem today, but looking forward 5 or 10 years, you can do the math and see how a they’re a fire suppression system, whether they are a physical access system, having that type of connectivity, that type of diagnostic and reporting and remote management capability, those are all going to become potential gateways to sensitive assets and sensitive data.
George: When it comes to medical and industrial devices, security vulnerabilities that end up shipping into the field could not only pose serious security challenges, but also be much more difficult to patch and remediate when necessary.
Paul: Right. Then the question is are those same things being designed securely, deployed securely. The answer is we don’t really know. The FDA just issued this whole guideline to medical device makers. If you want us to approve your medical device, you need to deal with cybersecurity. You need to show us that cyber attacks are part of your testing and design that these things are secure and resilient, that you have the capability of updating their software and doing so securely with signed updates and so on.
That’s awesome because there’s the FDA that can be a gatekeeper and say, “You need our stamp to sell this device in the US, and if you want our stamp, then you need to meet this standard.” There is no such government requirement for so many other things — for door access systems, fire suppression systems, security cameras, what have you. It’s going to be up to either industry to self-regulate, or it’s going to be up to customers to demand it or the government’s going to have to assume some broader regulatory mandate.
There are existing systems for vehicles and transportation. Existing regulatory bodies for critical infrastructure for vehicles and transportation, for medical devices, but obviously there are huge parts to the economy that aren’t regulated that way.
And whether it’s government mandated or the industry self-regulates, it is becoming clear that companies are going to need to manage those in the same way that they manage their existing IT assets. Like Microsoft has long said: secure in design, secure in deployment, secure in access.