The (In)Security of the IoT

Several announcements in July have focused attention on security vulnerabilities and risks in the Internet of Things. Siemens announced an update to fix vulnerabilities in its SIMATIC automation system for energy management. Ponemon Institute, jointly with Unisys, announced its report on security vulnerabilities in critical infrastructure. And HP announced its research on vulnerabilities in IoT devices. These announcements all have significant implications for the security of the IoT. But it’s also important to recognize that the vulnerabilities fixed by Siemens and explored in the Ponemon and HP reports are only part of the risks that need to be addressed in order to secure the Smart Grid. In May, Alan Webber, Principal Analyst at Asymmetric Strategies, wrote a blog for RSA in which he explored “3 Key Risk Areas in the Internet of Things”. He included vulnerabilities in IT-managed devices as the third of these key risk areas. But he also called out, as the first risk, vulnerabilities in devices that are not under IT control and, as the second risk, vulnerabilities in infrastructure systems such as fire suppression, building management and so on. At the RSA Conference in February 2014, Eric Vyncke, Distinguished Engineer at Cisco, presented an even more comprehensive view of the risk areas in IoT, discussing such issues as the risks implied in multi-party networks, in the discrepancy between crypto lifetimes and device lifetimes, and in attackers using tools such as using Shodan to find critical systems to target. But there are even more fundamental areas of vulnerability, such as in the blind spots created by old models of security, old models of risk and old models of security  — all topics that we’ll be exploring at the RSA Global Summit in September and that my colleagues and I in the SPARKS Smart Grid project are focused on. Global-Summit-CTA As Alan Webber wrote in the blog mentioned above: “companies have a chance to build a foundation for the security issues related to the IoT, starting with assessing their risks in non-traditional IT areas.”  I hope you’ll join me and my colleagues in RSA and SPARKS in building this foundation.

No Comments