Dealing with “The 5 Indisputable Facts of IOT Security”


10 August 2017
Cybersecurity groundhog day

How do you flash a software update on somebody’s implanted medical device? What if a squirrel makes off with your sensors? These are some examples of issues that we will have to deal with as we grapple with IOT (Internet of Things) security. And we will need to apply lessons from the past in order to avoid a “cybersecurity groundhog day”. 

Speaking at RSA Conference 2017 in Singapore recently, Diana Kelley, global executive security advisor with IBM Security, highlighted what she called “The Five Indisputable Facts of IOT Security” and how these need to be thought through as part of a “secure-by-design” approach to building or procuring future systems.

Fact #1 is that IOT devices will operate in a hostile environment. “You have to take into account physical considerations because you will have IOT systems out there that a squirrel could grab, or it could get rained on,” said Kelley, as she highlighted the need for IT people to talk to their counterparts who are handling physical security. 

Fact #2 is that software security will degrade over time, which is the good old patching issue. “But how do you patch a car? Send a USB stick to owner? Call them in to have their car upgraded? Or how do you flash a software update on somebody implanted medical device?” Security professionals will have to carry out their own assessment and figure out how to do this because over time, there will be a need for software upgrades, she said.

Fact #3 is that “shared secrets do not remain secret”. Kelley cited the example of the DYN attack which was accomplished in large part because of “shared secrets” – the fact that many IOT devices ship with the same default password. “Any device from that manufacturer of that model will have that shared default password, so what implications does this have on security?”

Fact #4 is that “weak configurations will persist”. “If you ship something in an insecure state it will stay insecure because most of us don’t lock down our assets, don’t lock down our systems.”

Fact #5 relates to the privacy issue. “What are we going to do about data and privacy and how we protect that information?” But there are lessons from the past that can be applied here, such as lessons surrounding the protection of data in transit. “We know how to protect data in transit, yet a lot of systems send data in the clear.”

And so these lessons are forgotten and enterprises are condemned to make the same mistakes over and over again.

Kelley pointed out that the number 1 attack vector on web sites last year - SQL injection – is almost 20 years old. And some of the biggest attacks of the past few months like Wannacry, Petya and NotPetya could have been prevented, or their impact mitigated, by techniques that have been around for a long time - like patching; like using virtual machines which can be taken down and reloaded if someone locks up the system; like doing backups, or carrying out network segmentation.

“These are all things from the past that could have helped us,” said Kelley. “We can’t predict the future, but there are certain things in security, in data hygiene, in network hygiene, that will enable us to avoid cybersecurity groundhog day.”