Are You Ready to Be Part of the Internet of Things?September 2015
Topics: Cybersecurity, Internetworking, Information Security Risk Management, Computer Security, Human Computer Interaction
Editor's note: This October is National Cyber Security Awareness Month. MITRE joins our partners in the Department of Homeland Security in recognizing the importance of protecting our nation’s networks. Learn more about MITRE’s advances in cybersecurity.
Andy Greenberg was driving 70 mph on I-64 when his transmission cut out. His 2014 Jeep Cherokee slowed to a crawl as an 18-wheeler approaching from behind—fast. He avoided a collision by rolling down an exit ramp. Later, he lost his brakes and slid uncontrollably into a ditch.
Greenberg, a writer, was participating in an experiment for WIRED Magazine that went out of control. Two hackers showed him they could use the Internet to hack and control a late-model Chrysler product from miles away. (Greenberg is fine, by the way.)
Sounds a little scary, doesn't it? But it doesn't have to be.
Autos are just one element of the "Internet of Things," or IoT, where cybersecurity has become a critical concern. How will the IoT affect you? Chris Folk, director of MITRE's National Protection Division within the Homeland Security Systems Engineering and Development Institute FFRDC, answers some questions about it.
MITRE: What is the Internet of Things?
Chris Folk: Depending on where we sit in the cyber ecosystem, people differ on what the IoT is and what it looks like. First, it's already here—and it's evolving. To me, the concept of IoT is about how computers interact with us, and how we interact with them. The IoT is the convergence of billions of smart, connected devices—things—around the world. They'll do things for us, and we'll do things with them that we've never envisioned. In short, it's about how cyber interacts with physical and human elements. It's physical, smart, and connected.
The IoT includes cars, appliances, phones, wearable devices, and equipment in our homes and businesses. These devices take convergence to a new level that blurs the lines between physical, cyber, and human.
Why should we care?
CF: The IoT affects everybody. Without careful consideration, we risk sacrificing security for convenience without understanding the tradeoff. For example, the Nest thermostat in your home just controls your home's temperature—today. The intent for such devices in the future is to autonomously interact with other things. You'll want to know more about what network communications you're allowing in your car, home, or office. You need to be informed about the technology so you can take appropriate action if needed.
What impact could the IoT have on privacy?
CF: The IoT's level of connectivity is unprecedented. Right now, much of its interaction is invisible to you, and its potential vulnerabilities are immense. Once we introduce the IoT into our families and lives, we allow machine-to-machine interactions on our behalf. That means the IoT world will have knowledge of your private actions. That could include your presence at home, use of medicine, and the entertainment you consume.
What impact could the IoT have on security?
CF: Like privacy, security becomes a big issue. Say you have an Amazon Echo, a pepper-grinder-sized cylinder that's a voice-activated, cloud-connected wireless speaker. It's also a device controller that's the beginning of an IoT ecosystem in your home. Amazon then becomes a central control for all Internet-connected devices—lights, switches, thermostats, and appliances.
You expect your appliances to last 10-15 years. What happens with security over time? Does Amazon guarantee that it will send security updates to it? What if they decide not to send security updates to it? Who controls the security functionality of your system? Because now that system is connected to your smoke alarms. It locks and unlocks your front door. It turns your lights on and off.
Right now, vendors aren't thinking about security or the relationships between privacy, security, safety, and convenience issues because consumers aren’t demanding them. Until vendors put security into IoT devices, your security could be compromised. These devices are going to be everywhere, and they have real security implications. In business and in government the intersection of operations and security is a fundamental challenge. Currently, security and operations are separate, but the two functions are blurring together due to the convergence of millions of connected personal devices.
Should we be afraid of the IoT?
CF: I don’t think we need to be afraid of any technology. We need to ask questions and hold vendors accountable for designing in security, privacy, and safety solutions to the devices they’re providing.
We also need to, individually, become better-informed consumers and users. Do you really understand what’s in your newest smart device? Do you know how it works, what it connects to, who is responsible for the security controls, and what agreements are in place so you can take full advantage of it?
Can we do anything to protect ourselves when using IoT devices?
CF: I think it's about cautiously engaging with this technology. With anything you purchase, you should approach it with questions like: What are other consumers saying about it? What do I want it to do for me? Am I overbuying something? If you’re an average consumer buying a new thermostat, ask yourself: Why would I spend $200 on a Nest system when I have no intention of connecting to the Internet? So buy an unconnected system.
If the smart devices you’re considering will be connected to other smart devices, understand and take responsibility for their security. Demand that vendors provide security for you. Encourage market pressure to work for you.
What else should we know?
CF: As you demand and use more online capabilities, know that they’ll put more of your identity online, and you’ll become more dependent on these systems to safely and securely manage day-to-day transactions.
For example, we're migrating our online activities to banking, shopping, and medical transactions. These provide us convenience but also permit exchange of sensitive information. Too often there's an assumption that our information is safe. There's a need for better education so we can take personal responsibility for our own safety and security. Currently there's a gap because we don’t understand what the cyber threats are, how information can be compromised, or what to do. We can, and must, change that.
What is MITRE's role with IoT?
CF: MITRE has decades of experience helping government agencies—and by extension, the public—develop strategies to protect our nation's networks and computer systems. Several sponsors have asked us to look at the security implications of legacy systems. A big challenge is combining the legacy systems of information technology, IT, and operational technology, OT. Operational technology includes things such as controls that open and close drawbridges and valves that open and close dams.
As IT and OT converge, we get a new set of challenges. When the line blurs between an IT system that controls data and an OT system that controls functionality, you have to assess what that means for security. We have to think about security completely differently. MITRE can help set the vision for security, help organizations come to grips with it, and help deliver technical solutions.
What can MITRE contribute?
CF: Our nation has large amounts of infrastructure and IT systems to secure. We have to prevent foreign advanced persistent threats from targeting critical infrastructure and using the security vulnerabilities in these systems, especially legacy systems. Take vehicle-to-vehicle safety systems. As new technology comes online, MITRE will help the National Highway Transportation Safety Administration evaluate them. We're already helping the Virginia State Police investigate ways to protect cars from hacker attacks.
We're also part of the Advanced Cyber Security Center, or ACSC. The ACSC is a regional non-profit consortium that brings together 27 New England-area industry, university, and government organizations to address the most advanced cyber threats.
Many of our sponsors are looking at security within the interconnected networks that provide data for analysis and decision-making—from healthcare delivery to military operations to smart cities or homes. For example, we're investigating ways to identify when a rogue intruder joins an Internet system. Other MITRE research is tackling security for smart electrical vehicles, federal government enterprise architecture, and operating environments for medical devices.
I see a huge role for MITRE and our sponsors on behalf of the national and economic security of the United States. We also have a role in communicating the risks and rewards of this new frontier in cyberspace.
—by David Van Cleave