https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Thinkstock

Butterfly

With Internet of Things Security, Small Attacks Could Have Big Consequences

RSA’s Peter Tran says that IoT attack scenarios that don’t make headlines can have some of the biggest consequences.
  • Written by Brian Buntz
  • 11th May 2017

When talking to Peter Tran about IoT security, you are bound to get a fresh perspective on the subject. For instance, RSA Security’s GM and senior director says he is not as concerned by big-take-down IoT scenarios that tend to make headlines. Stealthier attacks, he points out, could be more troubling.

Tran says that some Internet of Things security scenarios that make headlines are already old news by the time they are published. For instance, when asked about the early March Wikileaks revelation that the CIA had been hacking Samsung TVs to capture audio and video, he responds, succinctly: “That’s so 2000!” Others, like the potential of voting machines to be hacked, have been discussed by security researchers for decades.   

Meanwhile, a fair amount of press coverage on Internet of Things security is misleading, he says. Take the reports of Russian malware that showed up in a Vermont utility late last year as an example. “Some of the articles on this had headlines claiming: ‘Oh, the Russians are after us,’” Tran points out. “But [the U.S. Department of] Homeland Security was just saying that Russian malware had made it onto an isolated computer at Burlington Electric that was not on the ICS-SCADA environment.”

In a conversation at Dell EMC World, Tran touches on what worries him most when it comes to IoT security, shares his thoughts on using a financial volatility approach to monitor networks, determine risk exposure, and the potential unique privacy implications of connected device networks.

What is it about IoT security that troubles you most?

The vast majority of IoT devices have three things in common: They are connected, they are smart, and they are insecure. It really is the perfect storm. 

And here’s another thing with IoT: It makes it possible for hackers to do things most people haven’t even thought about. 

I bring up this whole topic of the Super Bowl: Zebra Technologies is innovating and working with NFL teams for sensor placement for “player tracking” with RFID-based tags embedded in players’ equipment and uniforms to analyze movements through outputted sensor data on portable tablets and other wireless collection platforms. A coach can change up your play based on performance data that just came off the field with this technology. In this scenario, it’s not so much the sensor itself that’s a security concern but the potential for sensor data disruption and/or manipulation at multiple points of presence during game play where a hacker could target to change the outcome of game analytics by injecting data or corrupting the accuracy of the data. Think of the billions of dollars’ worth of sports betting—legal or not—that goes on every year. The American Gaming Association estimated that this year’s Super Bowl alone would draw $4.7 billion in bets. People are betting on all kinds of things—even when the first fumble is going to happen.

Even trying to keep track of all of the connected devices in our living environment is nuts.

The Internet of Things also opens up new possibilities to use micro-breaches against financial markets or geopolitical environments. With IoT, you are going to have a lot more of these small manipulations. Slight manipulations are hard to catch, and we are so focused on the “loud-and-proud” type of breach.

As the number of IoT devices increases, it can get tricky to keep track of everything. Even trying to keep track of all of the connected devices in our living environment is nuts. Most ISPs aren’t even prepared for that. We have a lot to think about in terms of where the choke points are with IoT security. 

The risk of hackers taking down the power grid has received a good amount of attention in the IoT security realm. What do you make of the risk there?  

If you really want to do something to the power grid, you would hit the interchange of the power grid. You would mess with the telemetry and go for long-term command and control.

Most enterprises and organizations that manage critical infrastructure are still [struggling] to even gain visibility of the devices on their network—the basics. They aren’t carefully looking at the relationships between those IoT devices.

I think city environments will be on the radar because of their connection to critical infrastructure.

An IT director managing critical infrastructure naturally worries about core systems. But you also need to have a map of the earth that includes all of the devices in your IoT environment. For instance, I would be concerned if a closed-circuit IP-enabled camera at an electrical facility is running “hot” all of the time compared to its neighbors.

How does the march toward smart cities change the threat landscape?

I think city environments will be on the radar because of their connection to critical infrastructure. They are under tremendous pressure to reduce costs and to boost efficiency, and they are doing it with IoT. I think we will see a lot more targeting of critical infrastructure via city environments because cities will have relationships with other municipalities through network connections.

On the other hand, some cities are emerging that are doing a good job at monitoring their extended networks. Los Angeles is an excellent example. The CISO of LA, Timothy Lee, has worked with RSA to set up an integrated security operation center (iSOC) that incorporates volatility monitoring and detection capability that stitches the city’s agencies together, from the port authority to the airport authority to public works. 

I’ve heard you say before you are a fan of customizing VIX, a measure of financial volatility, to track IoT security. What can you tell me about that?  

VIX has been used in markets to model risk in trading. It is just volatility indexing based on data inputs. You look at the mortgage-backed security crisis of 2008, and you can model it out and get a risk quotient 

I looked at that and thought: We can do that for Internet of Things security. So I started putting data into the VIX formula. I can put my threat intelligence and changes in the IT department and put mergers and acquisitions into it. I can also use it to track massive changes in a connected living environment or smart-city environment. It can help monitor when there is a lot of new inputs or changes. You can then start mapping out different areas of volatility in a city whether you have traffic patterns or anomalies in the data systems that control those. You can map energy consumption, capacity, and trading in grid systems.

After we had started applying VIX to security operating environments, we shared it with customers, and some of them said: “Whoa! Security is not as crazy complicated as we thought. We don’t have to be a mathematician or PhD in economics to understand it.” It’s just a matter of applying existing frameworks in a different way.

What kinds of IoT privacy implications are you worried about?

Voice recognition platforms like Amazon Alexa are intriguing because they’re always listening. Voice platforms also raise interesting questions when it comes to apps. The in-app economy is huge and already creates all kinds of intersections between services. Take the Uber and Starbucks apps as an example. Linking the two together could enable you to speak a command and get a ride to the nearest café and to have your drink waiting for you when you get there. These apps also give enterprises new ways of tracking their customers. It’s also not that far-fetched for Starbucks to start estimating the caffeine levels in my bloodstream. Bad actors could also get access to this information.

In the future, stores could do things like predict the next baby boom population based on shopping habits.

In Singapore, they already have sensors that are collecting air-quality data. They can use population data to determine things like shopping habits and smoking levels in certain neighborhoods. All of that stuff isn’t that alarming by itself. You might not have a reasonable expectation of privacy when you are out. But the real risk is of longer-term profiling by threat actors.

Google might already be able to predict the next flu strain better than the CDC. In the future, stores could do things like predict the next baby boom population based on shopping habits. IoT devices open up additional security exposures relevant here that we haven’t even looked at.

On the other hand, IoT devices could be used to address security threats. For instance, video footage can be merged with social media signals to anticipate some terrorist attacks or shootings. Again, you could use an algorithm like VIX to track data from IoT devices together with social engagements to monitor potential volatility in urban behaviors.

This same principle also could work in sectors like aviation. You don’t have to wait for the plane to crash to get access to the black box.

Tags: Article Security Technologies

Related


  • IoT security
    IoT Device Security: Risk Assessment, Hygiene Are Key
    As devices and data proliferate at the edge of the network, IT pros have encountered new challenges in securing enterprise IT systems.
  • Five Principles in a Zero-Trust Security Approach to IoT
    IoT devices have created vulnerability for IT networks, but a zero-trust security approach can lock down attack vectors. Here are five key principles.
  • Tactics for Successfully Selling IoT Technologies
    While this year has proven the value of digitization, many enterprises need persuasion. Experts discuss strategies for successfully selling IoT.
  • LynxSecure Datasheet
    LynxSecure is a tiny separation kernel that can be programmed to partition a modern processor into secure virtual environments. It is not RTOS. It is not a traditional hypervisor. It is smaller than a microkernel (as small as 15Kb). LynxSecure requires and leverages the hardware virtualization capabilities of certain modern CPUs to (1) establish secure […]

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Cybersecurity Crisis Management During the Coronavirus Pandemic
  • In Industrial Realm, Trustworthy Software Means Safety
  • Integrating Analog Controls into IIoT Systems
  • Dell Sells RSA Security for More Than $2 Billion

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

Smart and Flexible Automotive and Tire Production

20th December 2020

Unlock the Potential of Digital Transformation in Oil & Gas

15th December 2020

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Real Cyber Threats and Best Practices Cyber Security Strategy and Solutions for Smart Manufacturing

1st December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

#IoTsecuritytrends in 2021 will feature new threats given #remotework, #digitalhealth and #edgecomputing.… twitter.com/i/web/status/1…

25th January 2021
IoTWorldToday, IoTWorldSeries

Protecting Your Network Against Ripple20 Vulnerabilities dlvr.it/RrJhpD https://t.co/Q2xe5hoy4U

25th January 2021
IoTWorldToday, IoTWorldSeries

The DOD turned to #kubernetes #containers for #IoTdevelopment to brace for rapid change. dlvr.it/RqzsLz https://t.co/t8W7coEdZN

20th January 2021
IoTWorldToday, IoTWorldSeries

Food for thought: Food and Beverage Industry eBook @ROKAutomation dlvr.it/Rqz00T https://t.co/Z3y18vuozF

20th January 2021
IoTWorldToday, IoTWorldSeries

Facility of the Future dlvr.it/Rqyzvm https://t.co/ytpsOUTtGP

20th January 2021
IoTWorldToday, IoTWorldSeries

A new day in automotive production #digitalmanufacturingsolutions @ROKAutomation dlvr.it/RqyrNS https://t.co/yxPFrBZGVg

20th January 2021
IoTWorldToday, IoTWorldSeries

Unlock the potential of digital transformation in Oil & Gas @ROKAutomation dlvr.it/RqyrBV https://t.co/kzHcGjf2OK

20th January 2021
IoTWorldToday, IoTWorldSeries

.@Airbus’s #datdriven #digitaltransformation focused on getting its existing data in order rather than just gatheri… twitter.com/i/web/status/1…

19th January 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X