Cyber security

The threats from an ‘Internet of Things’ — don’t disturb my breakfast!

By Phil Packman 

Over the last four or five months I have been really intrigued by the flexibility and the often-highlighted risk associated with various everyday devices going ‘online’.

Initially, my intrigue was sparked with the story of Stuxnet a couple of years ago and the immediate realisation that lots of important, everyday infrastructure is microprocessor-controlled and requires some level of network or PC-based interaction.

More recently, presentations on Smart Metering and intelligent devices have reminded me that as engineers, we are striving to make more things connected; to make life simpler.

As is often pointed out, this greater flexibility and innovation frequently highlights the issue that security often isn’t at the forefront of the engineer’s mind when they meld the wi-fi port to my fridge or toaster, and that sometimes security threats can arise in the most unlikely of places.

The current corporate challenge of patching an estate is often regarded as complex and multi-vendor, but imagine a world with thousands of versions of device, firmware and operating systems which all have to be considered.

The problems and risks associated with the ‘Internet of Things’ are great presentation material at the moment, and I love educating people about threats from network connected environmental controls in data centres and the Stuxnet-type risks to core infrastructure, but how threatening are these risks?

From the work I’ve seen undertaken in the majority of companies, it is often hard for the engineer to ‘connect’ in the course of his day job, and an external attack can seem quite unlikely. On the other hand, clients who rely extensively on automated control systems with remote monitoring can easily see how this risk is very real for them, carrying with it consequences that don’t bear thinking about.

On the positive side, the stories around what it is theoretically possible to do serve to remind people to continuously keep looking at the risks in all walks of their business. I am pleased that, in the few cases I am aware of, though the risks have been proven to be real, they have been highly unlikely or mitigated against.

There is a call out to engineers, innovators and tinkerers everywhere to consider security up front, in the same way that much of the software industry now has security baked in to development process at an early stage. We need to be designing the controls within the hardware as well as the software.

Recently, I watched a story on an international TV channel about a hobbyist who had internet-connected so much of his home that he could control the lights and open doors remotely. The second half of the story went on to show another individual demonstrating how easy it was connect to personal home security cameras that have inadequate controls or poorly written software. Specifically, he demonstrated how easy it was to open the garage door of a neighbour with an internet-connected home with an online door opener.

In the corporate environment, many companies have specific resources and spend time working on identifying these risks and mitigating or removing them, but in the personal world, many hobbyists are oblivious.

You could take a hard line and say that people who play with this technology should be aware of the risks and better protect themselves, but equally, you could argue that these risks breed innovation and that it is unrealistic to have the expectation of adequate security protection for everyone.

As the proliferation of the Internet of Things takes over, this will raise a number of interesting challenges for organisations and even more for personal users. The final answer is unclear but it is a blend of awareness, education, and better security within software and hardware. Whilst it is possible to overstate the risk (audiences love a scary story), in some cases it is very real, in others it can be managed, and in the case of my toaster, all’s well, but please don’t disrupt my breakfast.

Comments

  1. Dave Walker says:

    Very good article; I’ll be recommending it to various folk I know :-).

    Ultimately, it’s a matter of considering the ways in which the potentially-connected device can be misused, and for various devices, whether there are fail-safes which override any commands received over a network. Pragmatism has to rule on this one, but you’ll always need sound threat modelling in both digital and analogue domains.

Trackbacks

  1. […] among their customers, Phil Packman, general manager for security enablement at telecom giant BT, said in a blog post. That lack of communications leads to bad designs and missed opportunities to secure their […]

Speak Your Mind

*