In the World of IoT Security, Lock Every Door
On March 10 2021, Congress voted to spend $1 billion on improving government IT systems. While the $1 billion that was approved was markedly short of the $9 billion that was originally being pursued, this represents a step function increase for the Technology Modernization Fund (TMF), which had previously raised $150 million in total appropriations in the three years of its existence.
Almost instantly, the Department of Labor received $9.6 million to (in part) update its enterprise data platform.
It seems that almost every month there is a report of a network being compromised, resulting in consumers’ personal information being exposed or the functionality of a system being modified. In fact, recent research revealed that nearly four in 10 (36%) working Americans have been, or know someone who has been, impacted by a cybersecurity attack since the start of the COVID-19 pandemic. There are many enterprises and organizations which have extremely valuable operations, and therefore look exciting for hackers that want notoriety or dollars. This is one of the reasons why the TMF funds are so welcome.
Critical infrastructure is one of those vectors being targeted. February’s hack of a water treatment plant in Florida – where a hacker was able to adjust the level of sodium hydroxide being added to the water supply – was discovered by a worker who noticed his mouse had moved without his input. While some people argued that the company’s security policies had worked, to me, this feels like a dodged bullet.
One of my primary mantras over the last decade has been, ‘Just because devices can connect, it doesn’t mean they should.’ The benefits of having a device connected must be seriously weighed against any potential risks incurred if and when the network gets breached. In the case of the water treatment plant, enabling some staff to do some remote management sounds cool, in theory, but is that truly better than removing that connectivity and employing additional workers to read and control machinery? I am not a luddite – I have worked in the technology industry for (gulp!) over thirty years; I am not suggesting we revert back to a world without technology. In my opinion, there will be times where the value of the assets and the IT capabilities of the organization are such that the cons of connectivity outweigh the pros.
In another wide-ranging hack, about 150 thousand cameras, in locations including Tesla factories and hospitals, were taken over, potentially giving hackers access to sensitive data. Let’s take hospitals as an example. Hospitals’ expertise lies in keeping humans alive. They are not necessarily set up to deal with the very dynamic world of sophisticated hackers and cybersecurity. In spite of the concerns about data ownership, network availability and cost, I personally feel that the right people to trust when it comes to protecting data are the cloud infrastructure companies. It is in their core DNA to continue to raise the bar in terms of system immunity to attack, and, in some cases, simply remove all connectivity from the system.
I believe that the cybersecurity situation will get worse before it gets better. In part, this is because of the shift to a hybrid home-and-office work environment. Since they began working remotely during the pandemic, many workers believe their company has not sufficiently strengthened security policies and measures. For example, 60% say their company has not prohibited the use of certain apps and tools that do not meet high security standards, while 58% say their company has not implemented antivirus software. Companies are going to need technologies that can (immutably) extend corporate IT policies all the way to the home and (soon, we hope) local coffee shops.
If there’s a network connection, a company has to plan for a potential time when someone accesses it to cause harm, steal data or extort the company. My advice would be to prioritize safety and security over time-to-deployment. It’s better to hire some additional workers to read and control machinery than run a connected system that’s prone to attack.
Systems, too, have to realize immediately when they have been compromised. In the case of the water treatment plant, the worker noticed that a system’s mouse had been taken over. This is important, because it does take time for a hacker to find valuable assets if access to an enterprise’s network is achieved. This is one area where artificial intelligence can play a vital role; recognizing out-of-the-norm behavior for that system, and alerting a user to then decide the correct course of action. The autonomous system performing the equivalent of that assessment alerts the user – in this case, the worker who noticed his cursor had been taken over. From there, options would include the decision to disconnect the system from the network, to block a specific IP address and/or disable certain system functions.
“Lock all the doors, not just the front one,” Microsoft said during an Azure Sphere initiative a few years ago – an analogy that has stuck with me. When we leave our homes, we lock the front door. In the world of IoT, we need to lock every door — inside the house as well as those that connect outside. From a network perspective, if there’s a breach, the entrant only gains access to a subset of the valuable assets. Software and hardware have to partition systems to isolate functions. There needs to be strong controls in place so that, if an operating system is taken over, the core functions of the system can continue safely and reliably. Effectively, the security and system access processes need to be decoupled from the operating systems.
