Relearning Cybersecurity Strategy in an IoT World
In recent decades, the world has transformed dramatically. Even since 2010, smart connected technology has helped redefine everything from our cars, homes, cities and towns, offices, farms and even athletic fields while giving rise to new products like wearables and smart speakers. And while we may think we have made sense of this new world, sometimes a landscape changes so fundamentally that we must call into question our fundamental assumptions about our technological reality. Now is such a time, especially when it comes to cybersecurity in our Internet of Things era.
Before we delve into the how IoT is redefining cybersecurity strategy, let’s imagine the IoT possibilities of the present and near future. Think of cars that can “wake up” and anticipate our arrival as we get close to them. Connected sensors in the vehicle can also transform our experience behind the wheel, up until the moment we park and get out of the vehicle. And let’s be honest, it won’t be long before the car is probably parking itself. Wherever we get out, we likely are not far from a public Wi-Fi hotspot. And if it’s time to take a break from working, you might want to take public transportation to a stadium to see your home team play football. To get there, you might get on a highly instrumented bus or train with the ability to self-diagnose mechanical failures while traveling across infrastructure that includes bridges with vibration analysis. Once you arrive at a stadium, you’ll find it instrumented to the point you receive location-aware ads on your smartphone. These notifications might tell you where to find the shortest beer lines based on your specific preference or that a new jersey for your favorite player is for sale at the game.
Once you get back to your seat and see the action on the field, you witness a massive hit. Instead of wondering what happened to the player on the receiving end, you can access empirical data generated from sensors in the player’s helmet in correlation with other biometric measurements. You are so taken aback by the action on the field that your heart jumped, prompting a cloud-based analytics program to kick in to analyze your pulse after your watch and pacemaker detected your spike in heart rate, signaling an alert before your pulse returns to normal.
But as much as we think we can anticipate the world waiting for us just around the corner, there is often a gap between what we think we know and reality. A scene from “Men in Black” captured this well, when “Agent K” said: “1,500 years ago, everybody knew that the Earth was the center of the universe. 500 years ago, everybody knew that the Earth was flat. And 15 minutes ago, you knew that people were alone on this planet. Imagine what you’ll know tomorrow.” Imagine indeed. As Erik Brynjolfsson and Andrew McAfee so adeptly showed in their book, “The Second Machine Age,” the world is advancing at an ever-increasing rate thanks to the combinatorial impacts of an array of technologies. When we think we can comprehend this world fully, we are reminded that with each passing day, it is more difficult to do so.
It may be a truism that smart, connected technologies are fundamentally changing the field of cybersecurity while opening up new vistas of vulnerabilities. Yet from a security standpoint, many people still think they are safe based on personal assurances. Their self-talk might include statements bordering on magical thinking like “I didn’t get hacked last year, so I won’t this year either,” or “No one will guess my password: 123456.” More security-conscious people might tell themselves: “I have an excellent password. It is so long and complex, people think I am crazy,” or they might have a more strategic approach, telling themselves: “I only engage with any technology under a fairly strict set of circumstances.”
While cybermaturity of individuals varies considerably, most people assume that they — and the organizations they work for — are safe from cyberattacks. Every day, however, we see ample evidence debunking that myth. It would be one thing if this false sense of security were limited to consumers and individuals. It’s quite another when it extends to employees of large corporations with massive infrastructure and even chief security officers. But it does. So it makes sense to ask why?
In my opinion, this is mostly an artifact of the Internet of Things and the hype surrounding it. For quite some time, I have been a huge champion of IoT, and continue to believe it is changing our world for the better. But with that opportunity comes the responsibility of understanding and adapting to the cybersecurity challenges it raises. Workers at many organizations often have a poor awareness of the connected IoT devices surrounding them. More security-conscious workers may feel assured what they have read and heard about cybersecurity over the years will keep them safe.
While it may be tempting to think that cybersecurity best practices have long been codified and that we can look to the past to help secure the future, the cybersecurity strategy you need to protect yourself or your enterprise this year is appreciably different than it was in, say, 2010.
IoT has extended the interaction and reaches of the infrastructure beyond employees, beyond the four walls of the company, and beyond the tightly guarded architecture of the past. For instance, smart car keys have chips in them that communicate with a vehicle. The instrumentation throughout the car has massively increased, as well. The use of low-power, wearable devices has steadily risen, leading to everything from counting steps to sophisticated healthcare applications such as automated medication delivery and adaptable cardiac support. We monitor our infrastructure with super small, low-power devices. We track assets using similar technology using low-power, wide-area networks that allow for use cases today that would have been entirely impractical from a cost and deployment standpoint just a few years ago.
So all good, right? Our world stands to benefit from the perfusion of connected technology that surrounds us. Maybe. If we want to build a new world, we need to let go of what we think we know and consider the risks carefully of surrounding ourselves with autonomous connected devices. We can’t continue to assume that our enterprise companies are safe.
Already, we know internet hotspots are not safe. Hacking at a local public hotspot happens all the time, and is not particularly difficult. But we tend to think less often about the risk of a hacker accessing our car by way of a Bluetooth-connected tire valve. It’s not clear that the infotainment system you use in your car is safe from hackers either. When security researchers took remote control of a Jeep in 2015, their point of entry was the infotainment system. And roughly two years before that, when hackers breached a gateway server at retail giant Target to obtain data from some 40 million credit and debit card shoppers, they did so through another unexpected portal — from an HVAC vendor that did work for the retailer. The arbitrary-seeming nature of IoT-based attacks continues to surprise. There’s no shortage of anecdotes like these, where a hacker gains access by looking to a seemingly-random point of entry to launch an attack. Only recently, hackers breached a casino to the dismay of the high rollers in their database via the thermometer in the aquarium in the casino lobby.
Stories like these should serve as a reminder that what we think we know about security has to be relearned in the context of the Internet of Things. The ecosystem in our IoT world is fundamentally different than it was before. The attack surface is everywhere, and this equates to a massive increase in vulnerability. In the traditional security model, we could build a castle with a moat to keep the bad guys out. But now, it’s no longer about protecting the castle walls and ensuring the moat is big enough. The castle is everywhere, and we must protect everything and everyone we care about, no matter where they are. As IoT blurs the lines between the digital and physical, so does the notion that there is anywhere to hide from cybercriminals. We are not protecting the beach; we are safeguarding each grain of sand. This concept is a material change from the past. Think of it as protecting each session or engagement, noting that the interaction may or may not involve humans. Increasingly, those interactions won’t. But what initiates the session? Is it a small device? If so, does a traditional security stack even run on that device? What is the device talking to? And how do the messages get there? If it is communicating with an application that resides in a public cloud, is the access via a local public Wi-Fi hotspot with lax security protections?
In an IoT world, the person or device initiating the transmission of data must be viewed in the context of the interaction (session) and the entire path from the creation of that data to the consumption of that data and all interim hops in between. When the protocols change, the session needs to be protected. If the starting point is a low-power device below the traditional protection points (like the tire valve or thermometer, or even the pacemaker), the session needs to be protected. When the interaction uses public Wi-Fi, the session needs to be protected. The same applies when the interaction gets into the cloud, but is normally “unpackaged” within that infrastructure. Until the data is delivered into the consuming application where the right constituent with the proper authorization needs to consume that data, the session needs to be safeguarded. Full stop. These realizations are examples of the rethinking of security in the broader IoT world. The benefits of IoT can change life as we know it — for the better. Much better. But we can only realize its potential if we can also take steps to avoid the unintended consequences of increased vulnerability and the undermining of our data, privacy, companies and public infrastructure.