Past and Future Risks Bedevil Security on Internet of Things

CSM Passcode Editor Michael Farrell with FTC Commissioner Julie Brill, Professor Andrea Matwyshyn of Northeastern and GE Chief Privacy Officer Peter Lefkowitz at The Security of Things Forum in Cambridge on Sept. 11.
(L to R) CSM Passcode Editor Michael Farrell with FTC Commissioner Julie Brill, Professor Andrea Matwyshyn of Northeastern and GE Chief Privacy Officer Peter Lefkowitz at The Security of Things Forum in Cambridge on Sept. 10. (Photo courtesy of Christian Science Monitor)

In-brief: Efforts to secure the Internet of Things will be challenged both by a backlog of old software and hardware, and by the rapid pace of technology evolution, experts warned at the recent Security of Things Forum in Cambridge, MA. 

A huge backlog of software – most designed before the era of ubiquitous Internet connectivity – will make it difficult to secure many areas of critical importance to the economy: from healthcare to transportation to electric distribution and manufacturing, according to experts speaking at The Security of Things Forum in Cambridge, Massachusetts.

Companies in these industries are already finding themselves squeezed between insecure, legacy software applications and the rapid advance of new mobile technologies, connected products and allied services. The result: a vast expansion of the risks facing organizations globally, experts agreed.

The event, co-hosted by The Security Ledger and The Christian Science Monitor Passcode, brought together experts and researchers from industry, government and the public sector to discuss the challenges facing organizations, governments and society with the advent of billions of connected and intelligent devices. The conclusion? The challenges are many, and quick fixes aren’t likely.

Speaking on a panel addressing the policy challenges of the Internet of Things, Julie Brill of the Federal Trade Commission said that the challenge within Washington D.C. is that different agencies and lawmakers frame the issue of security and Internet of Things differently. That promises to make it difficult to craft flexible and forward-looking legislation to address security and privacy issues that IoT technologies engender.

Brill voiced support for market-based solutions to problems such as shoddy applications or devices that leak sensitive information or make easy targets for hackers. “I think if you give consumers a way to pick products with better security, that will provide a market nudge that will be better than the general categories of security we see talked about in legislative proposals,” Brill said.

In fact, overly broad or poorly written laws that attempt to address the security and privacy issues of 2014 and 2015 could stymie development of new products and innovation later on, said Andrea Matwyshyn, a professor at the Northeastern University School of Law. Lawmakers need to wield a “scalpel” when crafting new laws to address security and privacy risks of IoT products, not an “axe,” she said.

But efforts to address even pressing public safety issues engendered by new “smart” products have proven thorny, notes Joshua Corman, the Chief Technology Officer at the firm Sonatype and the co-founder of the non profit group IAmTheCavalry.

Legislation like the connected vehicle bill introduced by Massachusetts Senator Edward Markey have stalled as lawmakers pursue alternative proscriptions for the automotive industry. At the same time, there is uncertainty about which agency – or agencies – within the federal government should lead the charge on security and privacy issues. The National Highway Traffic Safety Administration (NHTSA) would seem to be the best agency to tackle the problem, but has been mostly silent on the problem of security and privacy risks in connected cars.

For those hoping for private sector regulations to take the place of intrusive government regulations, standards such as the Payment Card Industry Data Security Standard (PCI DSS) are imperfect models, experts agree. “We spend $80 billion annually to protect credit cards, but something approaching 100% of merchants have failed to protect credit cards from being breached,” said Corman. “The PCI standards are strangely proscriptive and strangely brittle.”

For now, the automotive industry looks like something of a proving ground for efforts to reign in the Internet of Things. William Whyte, the Chief Scientist at the firm Security Innovation, notes that the U.S. and other countries have populations of hundreds of millions of vehicles that run software that was never intended to be Internet connected. “The reason there’s not cyber security in cars was that they weren’t networked. (The automakers) defense was to be air-gapped.”

But that assumption can no longer be made. Chris Valasek, of Uber’s Advanced Technologies Group told attendees at the event that new features like Fiat Chrysler’s UConnect cellular hotspots provide an avenue for remote, software based attacks on critical vehicle systems. Valasek and his colleague Charlie Miller demonstrated such attacks at the recent Black Hat Briefings in Las Vegas in August.

Chris Valasek of Uber said that security issues with connected cars can emerge from any point in the auto maker's supply chain, complicating efforts to secure vehicles. (Photo courtesy of Christian Science Monitor.)
Chris Valasek of Uber said that security issues with connected cars can emerge from any point in the auto maker’s supply chain, complicating efforts to secure vehicles. (Photo courtesy of Christian Science Monitor.)

[Read more coverage of Chris Valasek’s hack of Fiat Chrysler connected cars.]

Fiat Chrysler bore the brunt of Valasek’s revelations. However, responsibility for patching those holes or responding to attacks falls across a much broader ecosystem of companies, he said. The firm Harmon – not Fiat Chrysler – made the UConnect software that provided the initial opening that Valasek and Miller used to gain access to the in-car network on a late-model Jeep Cherokee that they used in their experiment. Sprint was the wireless carrier that supported the UConnect feature, while hardware and software running critical functions like braking or acceleration may have come from Fiat Chrysler or any one of hundreds of suppliers.

In the end, Valasek said, Fiat Chrysler owned the problem. The company was forced to recall of 1.4 million vehicles to fix the software hole –with considerable direct and indirect costs. However, the best and most effective fix came from Fiat Chrysler’s partner Sprint, which blocked access to the ports used in Valasek and Miller’s initial attack.

As in other industries, the automotive industry faces both technical and cultural challenges as auto makers strive to develop connected products and a host of new, aligned services to go along with them. “It’s a closed culture,” said Chris Poulin, a research strategist at IBM X-Force. “And its complicated. The time from inception of a new vehicle to production is 5 to 7 years. So in many cases you’re trying to figure stuff out while letting people drive these vehicles.”

Other industries face the same conundrum. Peter Lefkowitz, the Chief Privacy Officer at GE, said that industries like electric distribution are heavily reliant on legacy technologies that were built without the expectation of Internet access and may have poor internal security controls. “If you’re talking about some box that is sitting in Oklahoma and doing giga- to mega conversions, you might have some controller that’s accessible without a password. The question is ‘what do you do about that,’ because you’re not going to take the system down to replace it.”

Tracy Rausch of the firm DocBox, a medical device informatics and analytics, said that software and security flaws in medical devices are the rule not the exception, based on her company’s research. “The news may focus on one or two vendors, but from what we’ve seen all companies have these problems,” said Rausch.

Traditional approaches to security – such as endpoint protection suites, vulnerability scanners and intrusion detection software are ill-suited to clinical environments where life sustaining equipment is far more sensitive to scans and other probes than robust, multi-function enterprise endpoints and where keeping equipment operating at all times is a priority.

Efforts are under way to address the need for better guidance. Anura Fernando a principal engineer for Medical Software and Systems Interoperability at UL (Underwriters Laboratories) told attendees at the Forum that his organization is working in collaboration with AAMI, the Association for the Advancement of Medical Instrumentation, on new standards to address cyber security in medical devices and integrated clinical environments (ICE). Those standards could form the foundation of consensus standards that might subsequently be adopted by the FDA or other regulatory bodies, he said.

Stay tuned for more news and highlights – including conference videos – from The Security of Things Forum!

3 Comments

  1. Paul. Great article and understanding of our current cybersecurity limitations. Our problems are much deeper than IoT but I agree with you that the volume alone is going to soon make our current cyberesecurity weaknesses very evident. We need some serious changes before this happens not after it is gets out of control. See my article covering some of the same concerns ( http://www.govtech.com/dc/articles/Cyber-Attacks-The-Danger-the-Cost-The-Retaliation.html ) and a move to something called Autonomic Computing (see: https://en.wikipedia.org/wiki/Autonomic_computing ). We need drastic changes in cybersecurity or we will be having drastic problems.

  2. Pingback: Senators' Letter Demands Answers from Detroit on Cyber Security | The Security Ledger

  3. Pingback: Life and Limb Exception: Researchers OK Outting Dangerous IoT Holes | The Security Ledger