Today was an interesting day for folks who follow Internet of Things research. Specifically, ISACA has out a new survey that includes (among other things) some data about the perceived risks and potential upsides of Internet of Things and how they’re being felt (or not) by folks in the field. (Full disclosure: I work there.)
Anyway, there were a few things we kind of expected (like security is the highest concern at 38% of respondents), some things that are somewhat surprising (efficiency and customer service are tied for primary driver at 53% of respondents) and a few things that I found very surprising (45% of respondents indicate that IoT has already impacted their enterprise.) All in all, I think this is a very useful collection of data points.
I also came across the document from Gunnar Peterson and Mark O’Neill from last week via the 1 Raindrop Blog (“Top Ten Security Considerations or the Internet of Things”) and found this to be another really useful resource. It’s a good document generally, and I really found it helpful the way it frames the discussion of IoT in a context that we already know about — i.e. through analogy to concepts that most practitioners are already familiar with.
But as I was reading through these two resources, I have to confess I started to get a little concerned. Meaning, there are some factors that make me wonder about how prepared we are as an industry for IoT. There are two factors that make me most nervous about it:
- IP-connected devices haven’t fared well from a security point of view historically; and
- the most relevant sub-discipline governing IoT within security is AppSec, historically the most under-invested area of security.
Let me break down what I mean. First, IP-connected devices and IoT. Solomon said there’s “nothing new under the sun” and he was right: IoT in it’s current for isn’t new (though perhaps the buzz is) — the same way that cloud wasn’t “new” in 2006 (remember ASP’s?) Meaning, what is a “thing” in the context of IoT? I’d posit that a “thing” in this context is: a purpose-built, IP-connected, computing device for which the computing element is “sublimated” into a larger usage-centric context. I’m sure there are better definitions out there, but I couldn’t find a very precise one for these purposes so I’m going with this one until someone tells me otherwise.
If that’s an accurate definition, we have this already — in a few forms. I’d cite as examples:
- Biomed – insulin pumps, pacemakers, defibrillators, etc.
- Clinical modalities – MRI machines, gamma knives, ultrasound, PET, etc.
- SCADA – robotic manufacturing, electrical telemetry sensors, etc.
- Navigation systems – auto, air, and rail GPS and navigation systems
As everybody knows, in all of their respective vertical markets, these systems are the most problematic from a security standpoint and have been for years (primarily for exactly the reasons that Gunnar suggests.) I’d cite examples, but really — do you need them?
Second, what is the security sub-discipline by which one would hypothetically best secure these devices? Sure, obviously there’s some network engineering required to enable reliable and secure connectivity, there’s some malware-prevention to ensure that the underlying OS doesn’t get used to mine bitcoin or whatever, etc., etc…. but mostly it’s about AppSec. Why AppSec? Two reasons: first, because the exercise of creating a robust codebase for a “thing” is the same as it is for creating a robust codebase for anything else and because all of the interconnections between these devices leverage application-layer protocols to communicate — the same protocols that apps written for any other application’s use case. Put another way, look at it from a software architecture standpoint: when your IP-connected toaster sends and receives telemetry information or authenticates you vs. your stepmother (’cause she likes it extra crispy and you don’t), it’s doing the same thing as Pandora or Twitter doing these things — the only difference is the purpose for which it’s employed. Actually heating the toast? That’s business logic.
Anyway, the point is that historically, we haven’t done well with AppSec as an industry (you probably don’t need me to tell you this.) For example OWASP’s Security Spending Benchmarks Project Report (yes, it’s three years old — and no I couldn’t find a more recent measurement of appsec investment specifically), suggests it’s less than 10% of the security budget for ~36% of firms while other studies suggest that the same application issues that have been around forever continue to abound. Not good news. This to me suggests application security has been deprioritized at least from a spending standpoint in most shops. So… riddle em this: are organizations that have deprioritized this discipline for decades likely to all of sudden become good at it now that toasters need AppSec too? I’m not too sure that’s likely.
Anyway, apologies for the long rant on this today — just thought it was an interesting topic.
<Note: the views presented are my own and do not necessarily reflect those of my employer.>