“Smart” Security for the Internet of Things, in Three Parts

Previous  blog  posts  have  talked  about  the  expansion  of  regulatory  purview  of  existing  authorities,  and  how  that  is affecting  businesses  of  all  sizes  –  whether  or  not  they  are  specifically  regulated.  Others  have  talked  about  the  value  of market-based security, and how procurement and contracting can be leveraged.

Regulatory  authorities  aside,  businesses  are  applying  the  same  scrutiny  independently.  I’m  sure  everyone  has,  at  one time  or  another,  seen  the  questionnaire  regarding  information  protection  controls  that  precedes  a  network  trust relationship.  For  example,  a  company  that  provides  outsourced  benefits  management  is  going  to  house  customer employee  data,  to  include  SSNs,  insurance  information,  and  health  data.  That’s  a  big  target,  and  before  proceeding you would want to make sure that they don’t have any wildly open doors or windows. So we’re all getting used to this.I  think  this  is  a  good  trend,  as  it  makes  security  more  aligned  with  market  forces,  providing  a  capitalism-based approach  –  you  can  make  more  money  if  you’re  secure.  It’s  also  becoming  a  necessity  as  we  move  into  more networked  means  of  managing  power  consumption,  traffic  management,  asset  tracking,  and  all  the  other  “smart” energy / city / hospital / etc. technologies coming into the market.

The  manufacturers  of  these  technologies  certainly  bear  the  responsibility  of  ensuring  that  their  products  are  secure (and  a  security  certification  system  may  be  forthcoming),  but  I  think  we  can  all  agree  that’s  good  for  a  point  in  time only.  Things  deteriorate.  Additionally,  an  integrator  will  likely  be  required  to  get  the  technology  installed  and  working. Everyone in this food chain has a responsibility, and hardly ever are those responsibilities articulated contractually.

The  manufacturer  has  a  responsibility  to  address  technical  vulnerabilities  in  the  product  as  they  are  discovered  notify,   and   provide   a   patch,   update,   or   workaround   –   or   completely   replace   the   product.   The   integrator   has   a responsibility  to  work  with  the  customer  to  ensure  that  the  technology  is  deployed  securely  –  changing  default passwords,  activating  encryption  and  other  controls  that  may  be  optional,  and  potentially  applying  manufacturer-supplied  updates  that  can  apply  corrective  action  across  the  deployed  base.  And  you  –  the  customer  –  must  provide activity monitoring and incident response capabilities.

Our  collective  attack  surface  is  growing  exponentially  during  a  time  of  increasing  criminal,  nation-state  and  terrorist activity,  while  Internet-of-Things  technologies  are  becoming  preferred  targets  for  extortion  and  are  being  weaponized to   attack   other   entities.   With   this   three-pronged   method   of   addressing   the   life   span   of   the   technology   manufacturer’s   assurance   of   security,   integrator’s   secure   deployment   and   maintenance   process,   and   customer detection and response – are all required. Of the three, two apply to third parties and are driven by contracts.

In  short,  if  it  can’t  be  shown  to  be  secure  and  there’s  no  plan  for  keeping  it  that  way,  don’t  buy  it.  Use  procurement  and contracting as the security tool it can be, or your “smart” organization may end up looking kinda dumb.