With Internet of Things Security, Small Attacks Could Have Big Consequences
When talking to Peter Tran about IoT security, you are bound to get a fresh perspective on the subject. For instance, RSA Security’s GM and senior director says he is not as concerned by big-take-down IoT scenarios that tend to make headlines. Stealthier attacks, he points out, could be more troubling.
Tran says that some Internet of Things security scenarios that make headlines are already old news by the time they are published. For instance, when asked about the early March Wikileaks revelation that the CIA had been hacking Samsung TVs to capture audio and video, he responds, succinctly: “That’s so 2000!” Others, like the potential of voting machines to be hacked, have been discussed by security researchers for decades.
Meanwhile, a fair amount of press coverage on Internet of Things security is misleading, he says. Take the reports of Russian malware that showed up in a Vermont utility late last year as an example. “Some of the articles on this had headlines claiming: ‘Oh, the Russians are after us,’” Tran points out. “But [the U.S. Department of] Homeland Security was just saying that Russian malware had made it onto an isolated computer at Burlington Electric that was not on the ICS-SCADA environment.”
In a conversation at Dell EMC World, Tran touches on what worries him most when it comes to IoT security, shares his thoughts on using a financial volatility approach to monitor networks, determine risk exposure, and the potential unique privacy implications of connected device networks.
What is it about IoT security that troubles you most?
The vast majority of IoT devices have three things in common: They are connected, they are smart, and they are insecure. It really is the perfect storm.
And here’s another thing with IoT: It makes it possible for hackers to do things most people haven’t even thought about.
I bring up this whole topic of the Super Bowl: Zebra Technologies is innovating and working with NFL teams for sensor placement for “player tracking” with RFID-based tags embedded in players' equipment and uniforms to analyze movements through outputted sensor data on portable tablets and other wireless collection platforms. A coach can change up your play based on performance data that just came off the field with this technology. In this scenario, it’s not so much the sensor itself that’s a security concern but the potential for sensor data disruption and/or manipulation at multiple points of presence during game play where a hacker could target to change the outcome of game analytics by injecting data or corrupting the accuracy of the data. Think of the billions of dollars’ worth of sports betting—legal or not—that goes on every year. The American Gaming Association estimated that this year’s Super Bowl alone would draw $4.7 billion in bets. People are betting on all kinds of things—even when the first fumble is going to happen.
The Internet of Things also opens up new possibilities to use micro-breaches against financial markets or geopolitical environments. With IoT, you are going to have a lot more of these small manipulations. Slight manipulations are hard to catch, and we are so focused on the “loud-and-proud” type of breach.
As the number of IoT devices increases, it can get tricky to keep track of everything. Even trying to keep track of all of the connected devices in our living environment is nuts. Most ISPs aren’t even prepared for that. We have a lot to think about in terms of where the choke points are with IoT security.
The risk of hackers taking down the power grid has received a good amount of attention in the IoT security realm. What do you make of the risk there?
If you really want to do something to the power grid, you would hit the interchange of the power grid. You would mess with the telemetry and go for long-term command and control.
Most enterprises and organizations that manage critical infrastructure are still [struggling] to even gain visibility of the devices on their network—the basics. They aren’t carefully looking at the relationships between those IoT devices.
An IT director managing critical infrastructure naturally worries about core systems. But you also need to have a map of the earth that includes all of the devices in your IoT environment. For instance, I would be concerned if a closed-circuit IP-enabled camera at an electrical facility is running “hot” all of the time compared to its neighbors.
How does the march toward smart cities change the threat landscape?
I think city environments will be on the radar because of their connection to critical infrastructure. They are under tremendous pressure to reduce costs and to boost efficiency, and they are doing it with IoT. I think we will see a lot more targeting of critical infrastructure via city environments because cities will have relationships with other municipalities through network connections.
On the other hand, some cities are emerging that are doing a good job at monitoring their extended networks. Los Angeles is an excellent example. The CISO of LA, Timothy Lee, has worked with RSA to set up an integrated security operation center (iSOC) that incorporates volatility monitoring and detection capability that stitches the city’s agencies together, from the port authority to the airport authority to public works.
I’ve heard you say before you are a fan of customizing VIX, a measure of financial volatility, to track IoT security. What can you tell me about that?
VIX has been used in markets to model risk in trading. It is just volatility indexing based on data inputs. You look at the mortgage-backed security crisis of 2008, and you can model it out and get a risk quotient
I looked at that and thought: We can do that for Internet of Things security. So I started putting data into the VIX formula. I can put my threat intelligence and changes in the IT department and put mergers and acquisitions into it. I can also use it to track massive changes in a connected living environment or smart-city environment. It can help monitor when there is a lot of new inputs or changes. You can then start mapping out different areas of volatility in a city whether you have traffic patterns or anomalies in the data systems that control those. You can map energy consumption, capacity, and trading in grid systems.
After we had started applying VIX to security operating environments, we shared it with customers, and some of them said: “Whoa! Security is not as crazy complicated as we thought. We don’t have to be a mathematician or PhD in economics to understand it.” It’s just a matter of applying existing frameworks in a different way.
What kinds of IoT privacy implications are you worried about?
Voice recognition platforms like Amazon Alexa are intriguing because they’re always listening. Voice platforms also raise interesting questions when it comes to apps. The in-app economy is huge and already creates all kinds of intersections between services. Take the Uber and Starbucks apps as an example. Linking the two together could enable you to speak a command and get a ride to the nearest café and to have your drink waiting for you when you get there. These apps also give enterprises new ways of tracking their customers. It’s also not that far-fetched for Starbucks to start estimating the caffeine levels in my bloodstream. Bad actors could also get access to this information.
In Singapore, they already have sensors that are collecting air-quality data. They can use population data to determine things like shopping habits and smoking levels in certain neighborhoods. All of that stuff isn’t that alarming by itself. You might not have a reasonable expectation of privacy when you are out. But the real risk is of longer-term profiling by threat actors.
Google might already be able to predict the next flu strain better than the CDC. In the future, stores could do things like predict the next baby boom population based on shopping habits. IoT devices open up additional security exposures relevant here that we haven’t even looked at.
On the other hand, IoT devices could be used to address security threats. For instance, video footage can be merged with social media signals to anticipate some terrorist attacks or shootings. Again, you could use an algorithm like VIX to track data from IoT devices together with social engagements to monitor potential volatility in urban behaviors.
This same principle also could work in sectors like aviation. You don’t have to wait for the plane to crash to get access to the black box.