Face it, you’re connected. So protect yourself by protecting your ‘things’
“If you connect it, protect it.”
That is the exhortation for this, the inaugural week of National Cyber Security Awareness Month (NCSAM), the overall theme of which is, “Do Your Part. #BeCyberSmart.”
NCSAM, an initiative by the federal Cybersecurity & Infrastructure Security Agency, within the Department of Homeland Security, is now in its 17th year and, sadly, more necessary than ever.
Protecting connected devices (which remain rampantly insecure) is a laudable goal. I just have a small quibble with the Week 1 slogan — it implies that there is still an “if” about connecting. The Internet of Things (IoT), now numbering somewhere in the 30-billion range, is rapidly becoming the Internet of Everything (IoE). It’s less and less about if a thing is connected when your toaster, coffee maker, refrigerator, dishwasher, clothes dryer, vacuum, lawn mower, door locks, and more are all online.
So assume it’s connected. The real focus needs to be on protecting all the “its” out there. Because they’re all connected to you too. And that is vastly more complicated than simply getting rid of a default password and replacing it with a complex one (even though that is a very good thing to do). Just as there is endless variety among connected devices, effective protection is not one-size-fits-all.
In the physical world, a cable or a chain with a combination lock is considered reasonable protection for a bike. For a home, most people want doors with at least a double lock — a key and a deadbolt. A bank is going to have a sophisticated array of locks, barriers, surveillance cameras and people to guard its assets.
That’s the case with connected devices as well. Your smartphone is reasonably well protected with multifactor authentication and encryption. Pretty much the same for most of the apps on your phone. But a vehicle, implanted medical device, or smart security system for the home need more. It’s bad to have your credit card number stolen, but it’s much worse to have your life or safety put in jeopardy.
Then there are “things” like public utilities, traffic controls and the power grid, which fall into the category of “critical infrastructure,” since if they fail, get polluted or are misused, they can cause mass disruption, damage, chaos, and even death.
The kinetic impact
One example of that potential happened two years ago when excessive pressure in natural gas lines owned by Columbia Gas of Massachusetts caused a series of explosions and fires in more than 40 homes in the Merrimack Valley of northeastern Massachusetts.
One person was killed, 22 were injured and thousands had to evacuate their homes for months. Since then, Columbia has paid more than $80 million in repairs and damages plus a $53 million fine and it agreed to sell its business in Massachusetts.
The official cause was “weak engineering management” — human error, in other words. But disabling the pressure gauges is exactly the kind of thing malicious hackers could do if they gained access to the system.
Sammy Migues, principal scientist at Synopsys, said one way to determine the level of security a class of connected things needs is to “look at their kinetic effect in the ‘real’ world.”
“Can physical loss/destruction, loss of connectivity, malfunction, or loss of ownership — a hacker owns it, new homeowners own it, and so on — result in many deaths, one death, much human harm, some human harm, financial loss, privacy loss, inconvenience, or no impact at all?” he said.
“Match the protection — more security features, better software, trusted supply chains, and so on — to the type of loss and the expected frequency/amount of loss. Or to what lawyers think relative to cost, revenue and risk, which can depend on judicial precedent, the possibility of a class action, the cost of suing a giant vendor, and so on.”
“This is what the real world does with safety for cars, buildings, medicines, education, public works, and everything else under the sun,” he said.
Not to mention that all those things Migues mentioned — cars, buildings, medicines education (now largely remote and online), public works and everything else — are increasingly connected.
Beyond all that is the complexity of who can protect it, and how. Yes, you the user or customer connects the device. But somebody else designed and built it. Chances are good that a different somebody sold it to you. Your capability to protect it depends in part on the manufacturer or vendor creating patches or updates to fix any vulnerabilities discovered after the product is in your hands and throughout its entire existence.
Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center (CyRC), said the longevity of connected things can raise the long-term risk.
“Cyberthreats are more concerning when the expected lifespan of the device is factored in,” he said. “After all, dishwashers, thermostats and doorbells aren’t devices like smartphones where there is social pressure to have the latest version.”
Beyond that, fixing software security defects isn’t like bringing your car to the local garage for a brake job. Mackey said it “requires cybersecurity skills, an understanding of the framework used to create the software, and an understanding of how the original software functions. Gaps in any of those areas could lead to patches that break other aspects of the software.”
And then there is the security, or lack of it, on the information highway. Users connect their devices to an infrastructure that is worldwide and over which they have little to no control, other than the portal into their home network — a router. Which is itself another class of thing that has a dubious security reputation.
So how can you protect all your things (and therefore yourself) without a little help from a vast network of faceless friends?
You can start by caring as much about security as you do about the bells and whistles of your connected devices. So far, in spite of daily headlines about hacks into IoT devices, most consumers make their purchasing choices based on features and price, not security.
“The problem with a lot of connected devices is that users don’t have enough information to properly manage risk,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation. “They don’t know if a device is secure or not. Instead, they rely more on a brand’s reputation than any concrete security assessments.”
That, he said, would let regulators like the Federal Trade Commission (FTC) “hold companies accountable for making false disclosures. It also avoids the problem of regulators trying to develop and enforce specific security requirements.”
But even without direct market pressure, makers and sellers of such devices, should make software security as much a priority as cool features and the speed of development.
The technology is here
Especially because the technology is widely available to do the basics, including:
- Static, dynamic and interactive testing to discover vulnerabilities in code while software is being written and assembled.
- Software composition analysis (SCA), which finds open source components in software and flags known vulnerabilities plus potential license compliance problems.
- Penetration testing before a product goes out the door, to find vulnerabilities that earlier testing might have missed.
- Updating and patching. Once vulnerabilities are discovered in systems or products already in use, most of them are patched — that’s why Microsoft’s “Patch Tuesday,” now renamed “Update Tuesday” has been a thing for decades. But obviously a patch or update is worthless if it’s not installed.
The other good news is that, 17 years after the first NCSAM, there are numerous standards and best practices available to help the builders of connected devices improve the security of their products.
Jennifer Janesko, senior consultant at Synopsys, can rattle off a long list of standards, including the OWASP Internet of Things security recommendations, UK Code of Practice for Consumer IoT Security, ENISA Good Practices for the Security of IoT, and CSA’s Future Proofing the Connected World. There are more, but you get the idea. A lack of good advice is not the problem.
But the bad news is that the need for better awareness remains as critical as ever. Perhaps one of the newest standards will have more luck. In June, the ETSI Technical Committee on Cybersecurity (TC CYBER), released the ETSI EN (European Standard) 303 645 for IoT cybersecurity, which both sets a security baseline for consumer products and provides a basis for future IoT certification schemes.
On the list of baseline requirements are:
- Prohibit universal default passwords
- Provide vulnerability reporting
- Keep software updated
- Secure storage of sensitive security parameters
- Communicate securely
- Minimize exposed attack surfaces
- Ensure software integrity
- Secure personal data
- Make systems resilient against outages
- Examine system telemetry data
- Make it easy for users to delete data
- Make installation and maintenance easy
- Validate input data
Those “make it easy” directives are especially crucial. Janesko noted that the average consumer setting up a smart TV “may not have the expertise to segment their network to inhibit network traversal, and they will not likely set up monitoring to detect network-based attacks. And a device manufacturer cannot expect this level of expertise when designing possible security configurations in their products.”
In other words, just as a car dealer wouldn’t expect a buyer to assemble some components of a new vehicle like installing the wheels, part of the responsibility for vendors of smart devices ought to be to help their customers complete a secure installation.
Of course, even if users, manufacturers and vendors all do their part, the reality remains — nothing will make connected devices entirely bulletproof.
Which is OK — the goal is not to be perfect but to be a more difficult target for attackers.
The classic story to illustrate the point is the one about two hikers who surprise a bear that begins to chase them. As the two are running frantically down the trail, one says to the other, “I don’t have to outrun the bear. I just have to outrun you.”
No word on whether, if both survived, they remained friends. But the point is clear. Keeping your connected things more secure than others do will make you much closer to bulletproof.