Zero in a bit
Application security testing, analysis, and metrics
Updated: 38 min 20 sec ago
The Internet of Things is upon us. We’re at the dawn of a new era that will bring changes even more transformational than those of the past two decades. There’s just one big obstacle in the way: IT and application security. That’s the conclusion of a couple recent studies that consider adoption of key features of the “thing” based Internet, such as machine-to-machine communications. In the first, the analyst firm ABI Research predicted that the market for machine-to-machine (M2M) communications has the potential to reach $198 billion by 2018. The market will be driven by the adoption of a wide range of “smart” technology – from household appliances to medical equipment to mobile devices. However, the development of the M2M market may be constrained by what ABI calls a “consistent lack of interoperability” between devices with M2M interfaces, and a lack of application level protections. “M2M devices themselves are generally left unsecured and, as they increasingly connect to enterprise backbones, such exposure poses a risk, providing a vulnerable back door into the network,” wrote ABI researcher Michela Menting in a report. Another red flag came in the form of a survey of 1,300 German businesses and universities that are members of the German Association for Electrical, Electronic and Information Technologies (or VDE). That survey asked about adoption of smart manufacturing technologies – or “Industry 4.0,” – as it’s known. Industry 4.0 is kind of a catch-all term (more common in Germany) that subsumes a lot of trends: ubiquitous sensors and computing, IT enabled machinery, process innovation, Internet of Things, etc. The benefits of the adoption of this technology are self evident: more efficient factory floors, real time troubleshooting, more efficient supply chain operations and rich data for executives, factory managers and customers about the entire manufacturing process. Still, the VDE survey found that close to three quarters of those surveyed (70%) doubted that smart manufacturing goals would be achieved by 2025. Why? IT security was the most oft-cited obstacle, with 66% of those surveyed saying a lack of proper security controls was reason to hold back on investments in smart manufacturing technology. And the cautious Germans aren’t the only ones who would like to put the brakes on the breakneck pace of adoption for intelligent devices. In just the last few weeks, the U.S. National Highway Traffic Safety Administration (NHTSA) expressed that it was concerned that the increasing complexity of electronic systems and sensors in automobiles warranted more scrutiny by the government in order to ensure passenger and driver safety. “With electronic systems assuming safety critical roles in nearly all vehicle controls, we are facing the need to develop general requirements for electronic control systems to ensure their reliability and security,” David Strickland, the chief Administrator for the National Highway Traffic Safety Administration (NHTSA) told a Senate Committee. Modern automobiles are ”becoming increasingly interconnected, leading to “different safety and cyber security risks,” he said. The story is the same in other industries as well – like healthcare – where smart device adoption is raging ahead, but sensitive information is at even greater risk. So what’s to be done? Let me digress by noting that I attended a design-focused symposium this week called “Bytes and Atoms” that was co-sponsored by O’Reilly Media, the digital media firm Brightcove and others. The symposium addressed the challenges of the growing interconnections between our digital and physical selves. The speakers – many of them professional design consultants, architects and technologists – talked up the potential of The Internet of Things, likening it to the dawn of the World Wide Web in the early 1990s. The talks were inspiring – we saw prototypes of ‘intelligent’ work out shirts by Under Armor that will monitor your body’s performance as you’re working out, non-invasive “smart” medical devices and telepresence robots that can help provide care to patients in remote locations. But it struck me at the event that, as with the early days of the Internet and the Web, security was being shunted off to the corner of the stage. Now, as then, the decisions we make will sow seeds that we only harvest in five, ten or twenty years. We can see now how a lack of security in core Internet protocols like TCP and SMTP have given birth to a wide range of online ills, from spam to denial of service attacks, but risk making the same mistake by focusing on what ubiquitous sensors, cloud based infrastructure and powerful mobile devices can do, rather than how they do them. I think there’s a clear need for greater scrutiny of the security of hardware, software and communications protocols that will undergird the Internet of Things – lest we fail to learn the mistakes of the past and, therefore, doom ourselves to repeat them.
Categories: Security Posts