Brian Russell is a security expert with Leidos, chair of the Internet of Things Working Group and Cloud Security Alliance. He spoke to ReadWrite about his book “Practical Internet of Things Security” and issues facing the IoT security community.
How do we shift our minds and prepare for IoT security? What are some of the biggest challenges facing the IoT community in enterprise networks and consumers at home? Take a look at the interview below.
ReadWrite: We’ve been inundated with IoT technology, it seems like security isn’t being factored in. Is there such a thing as IoT security in general?
Brian Russell: Yes, in a lot of ways, IoT security is just regular security. Now, applying it to the types of devices and systems that are being built, that’s been a challenge for one reason or the other but, when you really sort of think about it, the fundamentals of information security still apply to IoT devices, that a manufacturer is building. Or integrators putting together, you still need to have confidentiality, integrity, availability, those sort of key fundamentals of security.
So, what’s been a bit of a challenge in the IoT market, is there are so many types of technologies coming together, and nobody’s gotten ahead of the curve, and said hey, if I put together a system that has Zigbee devices that are talking over the internet, over the cloud, and they can talk to each other and they use MQTT as well, after going through a gateway, how do I secure those new technologies? And so, it’s a matter of technology getting ahead of the guys in security, market or the security function, where they haven’t really had a chance to catch up and do a really good look at one, the security controls, that have to be applied and the best practices that are recommended for each specific protocol that’s within IoT and from a systems perspective, what are the engineering challenges related to when you put all of these things together, and you start having them work together?
Sometimes in an autonomous fashion, what does that mean from a risk perspective and what does that mean from a security controls perspective? I think it’s really a matter of security not catching up with technology. I think whether it’s the IoT, whether it’s machine learning, whether it’s data analytics, whatever it is that we’re talking about, that’s going to be the challenge going forward for the security community, trying to figure out, technology moves fast and security is sort of lagging behind the technology movers and shakers. How are you going to make sure that you keep up? So that as new capabilities, products and technology come out, you’re not in the same boat as we’ve seen ourselves in with IoT.
RW: With IoT, we don’t see the traditional level of testing, because of the ubiquitous nature of these devices, they’re everywhere. Is it a different mentality when testing or working with this type of security?
BR: Yes and no. You’re going to want to do a methodical examination when you’re examining the security of any particular system, a methodical examination of potential vulnerabilities, and you go online and sort of look for every single attack vector that you can find to get into a particular system, whether IoT or not. What you mentioned about sort of IoT being different is right, and there’s training or mindset shift that has to occur in the security community.
The scale of IoT is what I think you were referring to, there might be millions of devices, that are used within a particular organization and those devices can range from temperature sensors, floating in the ocean, it can be smart mirrors, it can be smart billboards, it can, things in a smart home, smart electrical capabilities, smart grid type stuff, there’s so many different things, again, sort of going back the traditional ways of doing security, sort of looking at it from a risk perspective, is really important, again, if you have this sort of category of devices, that are sort of reading temperature data, for example, or reading some environmental type data that has no impact from a security perspective, for a particular organization, or limited impact from a security perspective, you’re going to apply resource to secure those capabilities and those technologies.
On the other end of the spectrum, what you really have to work about is this move toward cyber-physical system, CPS, where now, I may have a connected vehicle, if I’m Ford or General Motors, I’m going to make sure that I apply substantial amounts of security engineering and resources to figuring out what the vulnerabilities are for that particular system and making sure that it’s locked down in such a way that people are thwarted from trying to penetrate into the core the devices, in this case, a vehicle. Or it could be a drone or a plane. Going back to that sort of risk perspective, and that sort of that risk framework mentality, and saying ‘Well, I need to sort of pull out of the stop and see if I can dig my way into a connected car, that if it’s compromised, it’s going to cause harm to somebody…’
RW: What was your motivation for this book? It’s very technical.
BR: My background, going back many years, working for the government, building cryptographic key management systems and we sort of have an understanding of, making sure the systems that are out there, serving mission purposes, and critical business purposes are secure, sort of taking that background in cryptographic key management, we ended up starting to work with the FAA. Cryptographic control for drones and trying to figure out what that command link would look like between a small mid aerial system or drone and a ground control system, and sort of keeping people out of that command link. Then we ended up going into the transportation sector with the federal highway administration trying to figure out what it means to secure connected vehicles across the U.S. infrastructure. From that perspective, from the work perspective, it became very clear that there are a lot of challenges. People weren’t going back and applying the fundamental principles… The risks were growing significantly.
We saw that there were many points of integration, that seemed to be opening up between all of these different technologies. For example, a vehicle in today’s world might be started with a command, you might say ‘Lexus, start my vehicle.” That’s sort of an integration point, it might integrate with your net thermostat. That’s an integration point into a cyber system that has the ability to cause harm if it’s taken over from a control perspective. The risks are significantly high and they’re getting higher as more things get integrated with other things.
The other side, the volunteer work that I do, the Internet of Things Working Group, we’ve been looking at this since 2013 or so, trying to put together some community driven thoughts on how an enterprise might go about securing and IoT implementation, sort of a systems to systems implementation, and then how a product developer might go about securing their IoT-based connected products. I look at that and got together with my co-author Drew Van Duren and said it probably makes sense to go ahead and formalize this and put this together into an actual book.
RW: It looks like your book was written for engineers, programmers and network admins working on the technical aspects of IoT.
I think you’re right, we tried to abstract it as well, but we wanted to provide practical guidance that people can use when they’re designing their IoT systems.
RW: In chapter one, you talk about IoT data collection, storage, and analytics. Thinking about the future of IoT, how big a role will data collection play?
There are a lot of different potentials there. One path you can think through is already starting to show itself. If you look at, I think there was a murder investigation just a couple of weeks ago and the local law enforcement was trying to get access to the transcripts from the Alexa, from Amazon’s Echo device.
That shows you that you have devices in a smart home for example, in some instances, back with the some of the smart TVs that were always listening. Definitely, in the Echo case, it’s always listening for the implication word… What is the legal stance as far as how a law enforcement official might gain access to that transcript from Amazon? Almost like the old subpoena from the telecom providers. Are they going to go and do this to Amazon when there is a case that opens up and they might be able to figure out details of the case if they get transcripts.
This sort of goes to the ubiquitous monitoring of IoT, the nature of the IoT, where you always sort of being watched and I think eventually we’ll get use to that. It’s going to be interesting seeing what happens from the perspective of law enforcement that wants access to these things. Another example, it hasn’t come to fruition yet, but everybody has cameras on these houses now, camera on their backyard. If something happens in front of your house or on your property, is law enforcement going to subpoena the video images? What if you don’t want that to get out from a privacy perspective? I think privacy sort of a really interesting area to think through when it comes to this sort of data collection of IoT devices. You can make the same case for smart health devices that are always collecting your biometric data about your heart rate. These things are going to get more and more advanced. The data that’s collected is going to be able to show, a profile of your activity, and your sort of overall health and well-being, and do you want this data or the inferences from that data to be made available to people that you don’t know.
Your healthcare provider is sharing that with your insurance provider. On the insurance side, what are the ramifications when we talk about not only health care but also sort of vehicle insurance. Nowadays you can go out to target and buy a device that will hook into your OBD2 port on your vehicle and collect information about how fast your drive and that’s going to be standard stuff in the connected vehicle area. What happens when the insurance company starts getting a hold of that data that’s being collected about you? They can make real-time decisions about what you rates are going to be — can they deny coverage?
It’s going to be real interesting to think about from a legislative perspective. I talk about the security guys being behind the curve, of technology, it’s the same on the legislative side. Are lawmakers going to have to figure out what laws they have to put in place to protect your rights as a consumer, not only from a privacy perspective but also from the perspective of this not having your insurance taken away because the insurance company figures you’re not as healthy as you said you were or you’re driving more than you said you were.
RW: When we look at IoT devices, it seems like a lot of devices are being enabled without any security mechanism in place. The manufacturers are creating and then at the last moment, an IP stack is placed on the device. What is your take on this?
BR: I think that’s right. IoT security is similar to regular information security that we’ve all sort of grown up with. If you think about the software industry, they’ve had many years to secure their security practices, and if I’m a refrigerator manufacturer I haven’t had a need to figure out how to prevent people from hacking into my computer capabilities, or If I’m a vehicle manufacturer, similar circumstances, or whatever it is, if I’d a manufacturer of some sort of product, physical product, I haven’t had to make sure that people don’t have to hack into my light bulb, that I’m putting out onto the shelf. It’s a matter of catching up again from a design perspective, understanding that if you put something out there that has the ability to connect to other devices or to the Internet, there is risk involved and you have to figure out how to mitigate that risk.
You pair that with the startup community who has no real motivation to embed real security engineering into their products, they’re interested in getting things to market… The other aspect is that there is talk all over that there is a shortage of skilled security people. On the market. If I’m a startup or legacy product manufacturer, it’s going to be hard for me to go out and recruit the people I need to build a good security team, so that I can tackles these issues internally, it’s this perfect storm of different mindsets and issues that are keeping people from succeeding and applying proper security controls, to their devices.
The FTC recently came out against manufacturers of connected devices and are bringing a lawsuit against a manufacturer. I can’t remember who it was, and so now, if you start to see some government enforcement you might see some a mindset shift from these IoT manufacturers where they have to go the extra mile to get things right. We haven’t seen that from the government until very recently.
RW: On connected devices in the home, what kind of implemented security can we expect to see on these devices in the future.
BR: I think, for those sort of devices, you’re going to have to lean on the protocol specs themselves because bolting on additional security features to an air conditioner that has to talk to a thermostat, if that involves any sort additional configuration for the home user it’s probably not going to happen or not happen correctly, because from the consumer IoT realm, it’s an interesting challenge. Usability is extremely important, there is always this tug of war between usability and security, but on the home market, it’s not going to be used, if it’s too hard to configure. If you have to go in and manually enter a hex string of key characters into a light bulb every time you install it, that’s gonna fly.
As so, you fall back on the pairing processes of some of these protocols like ZigBee, Z-Wave or Bluetooth. And those communication protocols have built-in security controls, where they haven authentication capabilities and confidentiality protections built into them at the link layer. You’re going to have to figure out the best approach to leverage those, protocols security stacks that are already existing for those types of devices.
RW: So who needs to purchase your book?
BR: I would say anybody who is trying to put together complex connected systems. Systems that talk to each other, systems that work together autonomously, for critical business functions or critical mission functions. That’s what the book was designed for anybody who is responsible for getting these connected devices incorporated into their enterprise. I would hope would benefit from this book right now.