Thinking About How to Secure the Internet of Things (IoT)

Linda Musthaler
By | August 08, 2013

Posted in: Network Security Trends

Michael Cooney of Network World published a semi-silly article about malware affecting smart toilets that run the Android operating system. (See Just when you thought it was safe to go to the bathroom – toilet malware strikes.)

The article reports that TrustWave SpiderLads issued a security bulletin to warn users of the software-controlled toilet that miscreants could take command of the Satis brand toilet and make it flush repeatedly, open or close the lid, or activate the bidet or the air-dry functions—all of which could cause discomfort or distress to the user.

Potty humor aside, this warning seems a bit frivolous until you consider that this model toilet is one of the early players in the Internet of Things (IoT). What if we took the scenario and modified it a little, so that instead of a toilet, the “thing” is an implanted pacemaker, and instead of the malware causing the toilet lid to open and close indiscriminately, it is a heart valve being made to flutter? Not so funny anymore, is it?

The Internet of Things is still in its infancy. If we compared it to the personal PC era, we’d still be in the early days of the IBM PC back in 1981. John Pescatore, Director of Emerging Security Trends at SANS Institute thinks this is the perfect time for IoT developers to think about embedding security into personal medical devices, automobiles, manufacturing systems, home thermostats, and even smart toilets.

Pescatore is pulling together a SANS summit on Securing the Internet of Things. It will be October 22, 2013 in San Francisco, scheduled to precede the somewhat related Healthcare Cyber Security Summit.

“When we went from the mainframe to the PC, the way we secured the mainframe didn’t work on the PC,” says Pescatore. “As we have gone from the PC to the smart phone and tablets, the way we secure PCs doesn’t work on those devices. And soon we will run into the problem of having to come up with a new way to secure thermostats and medical devices and automobiles. This is the impetus for SANS having this summit on securing the Internet of Things. There have been other summits about the connectivity and the benefits of the Internet of Things, but the idea here is to highlight the security issues and also to bring together a lot of people to start the dialogue about solutions.” Pescatore says it’s not just a matter of mobile device management that we are rolling out for smart phones being adapted for thermostats and pacemakers.

When you consider the millions of types of “things” that will eventually be a part of this grand network, you get a sense for how vast the issue of security is. In fact, forget about security for just a moment and think about connectivity and communication. “What we’re seeing happening now is pretty much what we always see when there is a new wave of technology,” says Pescatore. “Remember back before everything was TCP/IP? We had DECnet, SNA and a dozen other protocols that were proposed. That’s the stage where the communications side of this Internet of Things is right now. There are different groups proposing protocols and ways to communicate so we can discover these devices.”

Identity and trust of the “things” will be critically important. “Think of all the problems we have today with identification of people,” Pescatore says. “How do you really know that I am ‘John Pescatore’ on the Internet? It’s horrendous with people, and when you start thinking about how to really know that this is ‘John Pescatore’s thermostat’ or that this is ‘John’s wife’s car,’ the magnitude of the challenge becomes apparent. In order for those things to communicate, they first have to register onto the wireless data network and that is an area where identity for the Internet of Things is very likely going to be driven by the wireless data carriers.”

On the security side, Pescatore thinks it’s important that we consider what we learned from previous computing platforms such as the PC and mobile devices. What can we do differently in trying to secure the Internet of Things? How can we avoid the problems we had in the past? “Think about when the Windows PC first came out,” suggests Pescatore. “What if Microsoft had said you can only run software that Microsoft says is okay? But that was impossible. The market never let that fly. Then decades later when the iPad came out, Apple said you can only run software on the iPad that Apple says is okay. For the most part, the market accepted that decree. That is an example where Apple is doing security very differently and in some ways better than the previous generation of computing devices. So when we start looking at thermostats and other things, we have to consider what things can be done so that we have some best practices or guidelines that can be done in the building of these things to incorporate security.”

For example, Pescatore wonders what could be built-in on the hardware side to enable encryption so that any data stored on any of these things is always encrypted? “We could be starting with better security baked in if we went straight to hardware-based security rather than letting this take years to develop, as it did on the PC,” he says.

The SANS summit is designed to bring together the architects, solution developers and even the venture capitalists that all have a strong interest in securing the IoT. Keep in mind that this effort is in its infancy. Attending the summit could be a bit like brainstorming with Steve Jobs and Steve Wozniak as they designed their first Apple I computer in the late 1970’s. Wish I had been there!

You May Also Be Interested In: