Web apps are not exactly secure. IBM tracks 9 billion events per day. They see 150 million intrusion attempts on a daily basis.
Of the vulnerabilities they see, 49% come from web apps. Of the 49%, about 67% of those vulnerabilities never get patched.
So, what happens when the physical world is controlled by networks that connect with on-premise and cloud environments?
We've spent the past two days at IBM Innovate where the discussion is about the
development of systems and the increasing complexity of interconnecting network.
IBM calls it the complexity of "systems of systems," a term that is redundant and a bit confusing but we'll work with it.
The security issues get increasingly complex in these systems that connect devices to networks and multiple other connected systems.
Take Babcock Ranch, the 90,000 acre smart development that is using IBM Rational to plan its network of instruments that will be integrated into all manners of physical devices.
Fo instance, Babcock will put instruments on sprinkler heads throughout the community. They will be networked to pull in weather data so the sprinklers can water certain areas. Houses will be solar powered. When clouds move over, the smart grid will know to compensate.
Jack Danahy is a security executive in the office of the CTO at IBM Software. He preaches the concept of designing security from the start of development, not as an add on as is often the practice with Web apps. From the blog he writes with Andy Bochman, a fellow security executive at IBM:
"Threats from bad guys are one thing; threats from poor coding, configuration errors and other unintentional companions of complexity are likely a bigger challenge in the near term. Nevertheless, could an attacker work his/her way through less-than-secure automotive communications networks to put drivers in harm's way or adversely impact a utility? Sounds exotic, but when Vehicle-to-Grid (V2G) dreams start becoming reality, and electric cars draw their power from the grid while fulfilling important energy storage functions upon which we come to rely, this is one area we want to make sure doesn't get overlooked. In fact, just like in everything else, we'd recommend minimizing the drama and designing security in from the word go."
Danahan is the founder of Ounce Labs, the company he sold to IBM last year. Today, IBM announced the integration of Ounce Labs with Rational's security technology. The result is AppScan Source Edition, a new addition to its Web application security and compliance portfolio. AppScan helps companies correct security vulnerabilities before the app goes live.
Security issues are a problem with Web apps. But if nothing else, the security problems that have been on the Web may be a learning lesson as we enter this new age of the Internet of Things.
But, still, even if security is built into the technology, the smart grid is not guaranteed to be any more secure than a Web app.
"According to a study by systems engineer Mohit Arora, the future smart grid's use of communication technologies implies an increase in computer-controlled electronics and software, which might increase the probability of a potential cyber attack.
Mr. Arora says the danger in a cyber attack is the element of uncertainty. A cyber attack can strike through the public network from a remote location virtually anywhere in the world.
Successful cyber attacks could lead to power outages, destruction of generators and even grid instability. Hackers can also steal data from the memory of these devices and insert malicious software instead."
Designing with security in mind will be essential in the new smart world. Especially considering that the criminal networks will surely be getting smarter, too.