Two observations were made during the sessions that serve as a useful introduction to the questions raised by the Internet-of-things. On the first day of the conference, Joe Weiss (Applied Control Solutions) pointed out that people bring varying perspectives to discussions of the IoT. His world, the world of control systems, is worried about safety and reliability, not security for the sake of security, and this is a perspective that's often missing from these discussions. "Very few engineering disciplines require attention to security; very few IT disciplines that require attention to safety and reliability." And it did indeed seem to be that case that for most of the speakers, the Internet-of-things was an Internet of consumer things, not one of industrial sensors and process controllers.
The other observation worth noting at the outset came during the second day's panel on the future of cryptography, Phil Quade (CISO, Fortinet) said that, "The IoT is the new endpoint. We need to move security farther upstream."
The current state of IoT security.
Vint Cerf (VP and Chief Internet Evangelist, Google) began this discussion with a Thinks Forward talk on the current state of affairs with respect to IoT security, and where the opportunities and challenges are headed. The designers of the IoT have a very thin, over-simplified model of what they're designing for, he said. He advocates thinking instead in terms of an ecosystem. He would, with his colleagues, emphasize safety, reliability, privacy and episodic access.
He does worry about autonomy. He expects that the code that runs autonomous systems will inevitably be buggy. "We worry about animating these devices with bad practices. But can all the IoT devices even have the ability to be updated and fixed?"
Cerf sees a very big role for strong authentication in the design of IoT devices. He also thinks that devices must also be able to distinguish who has the right authorities to do things in the house. And he was clearly thinking of the domestic IoT here: "You want to introduce a guest to your house, but then be able to revoke access."
Cyber literacy is important. People need to understand both risks and utility of IoT devices. Some of them are risky, and many of them are at least fragile. Machine learning is not a cure-all: "Be careful about relying on machine learning as a tool that will always do the right thing."
The Internet-of-bad-things: thoughts on the IoT botnet world.
Doug Maughan (Cyber Division Director, Science and Technology Directorate, US Department of Homeland Security) moderated a panel on IoT botnets. The panelists included Sherry Ryan (CISO, Juniper Networks), John Zangardi (CIO, US Department of Health and Human Services), Steven Rogers (CEO, Centripetal), and Justin Fier (Director of Threat Intelligence, Darktrace).
"IoT growth is effectively unstoppable," Rogers said. The devices are themselves amazingly complex. "We've had indifferent success protecting endpoints like desktops; how well will we succeed with the IoT?" He advised that our expectations in this area remain modest. Zangardi said, "We're either at or beyond an IoT inflection point. There will be a lot of devices in homes that won't be built by reputable companies that take pains with security. How can we handle securing the home?" Fier agreed this was a problem, and noted that the size of the corporation building the product may not mean that much. "We can't wait for a perfect solution. You've got to know your assets, figure out what you've got, and what the state of that is, and then apply some hygiene to these."
Nor are we in a position to define the attack surface, really. As Zangard said, "We don't determine what's in scope. The adversary does that." And, as Fier observed, national regulation won't make much difference in a global economy. In the current state of the world, he doesn't see much prospect for the international collaboration that effective regulation would require. He asked if we might not follow a minimalist, FCC-like check of IoT devices. There is, of course, no security check when the FCC looks at devices with antennas, but might we evolve one?
Rogers thought even this premature. "We need to know what the solution would be before we can require compliance with such a solution. We don't know what a security solution for the IoT would look like." Fier agreed, but thought that any solution would surely involve visibility. "It all comes down to visibility. We don't yet know what's on our networks. The majority of the network blindspots are in the IoT."
Rogers thought there would have to be a layer of enforcement riding on top of the devices. The devices are supposed to save work, not generate more work in the form of management, patching, etc.
Ryan considered consumer devices to be a very different space, and she has to think hard about how to protect her enterprise from that consumer stuff. Consider, for example, the Fitbit visibility story, in which military locations were compromised by troops using Fitbits. Fier said the Fitbit case was ironic because the device was doing exactly what it was supposed to do, and exactly what it said it would do. It wasn't malfunctioning when it uploaded data, nor had it been compromised.
Maughan closed by asking the panelists if they thought matters would improve, or it they saw the IoT situation growing worse? Fier said (to Zangari's agreement) that we've just scratched the surface of IoT problems. Ryan said, "We're on the wrong side of this curve. We have to build it into our business resumption plans." Suppose, for example, that one of these IoT-botnet-driven attacks blocks all Internet traffic around the markets? "Because if attackers can, they will."