Risky business ? Who’s to know….?
Security’s an increasingly sensitive topic in our community. While it’s always been important, it’s only recently that we’ve been waking up to the size of the responsibility that’s being placed on our collective heads, writes M2M Now’s Alun Lewis.
Hackers in the past have tended to attack consumers or the financial systems of corporations. Not manufacturing lines – or the essential infrastructure that keeps our societies ticking over in reasonably efficient ways – and which could be called our ‘civilisation-critical’ systems.
While this scaling up obviously presents huge technical challenges, it also creates major problems when it comes to one of the most difficult aspects of security – evaluating risks and then responding appropriately. Despite what we may believe and hope, we’re a deeply irrational species – and even more so when large numbers of us interact together. As far as perceptions of risk are concerned, a wealth of evidence – both historical and experimental – shows that we’re also deeply flawed when it comes to accurately evaluating our exposure to threats.
While author and polymath, Nicholas Taleb elegantly addressed many of these issues in his seminal 2007 bestseller ‘The Black Swan’, they’re also neatly summed up by ex-US Defence Secretary, Donald Rumsfeld’s 2002 comments on the WMD threat: “There are known knowns; there are known unknowns; but there are also unknown unknowns – the ones where we don’t know that we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.” Although expressed with typical political understatement, that does tend to sum up the current situation facing our sector – and it’s the ‘unknown unknowns’ that are going to present the most serious challenges.
Peter Warren of MWR Infosecurity comments on this: “Educate your stakeholders and yourselves. The concept of risk is widely used, but the behavioural and statistical science involved is not generally well-understood. Risk behaviour and estimation bias are common problems and have been extensively researched by psychologists. That said, research has shown that these errors can be reduced through training and good statistical methods.”
That problem of getting a clear perception of risk in an implicitly uncertain world is often accentuated by the different drivers and cycles that are found in human organisations. Daniel Shepherd, director of International Strategy at security company S21sec, observes, “Look at any business survey these days and you’ll see security usually comes high up the corporate agenda – but after growth and profit. With business innovation cycles getting tighter and tighter, how do IT security staff explain to their board that while a new ERP system might take a few months to install, securing it properly might take much, much longer. There’s also the issue that much security in the past has involved adding ‘boxes’, but when it comes to the much more diffuse and amorphous world of the cloud and Big Data, the challenges are very different.”
Jason Hart, who began his working life as an ethical ‘White Hat’ hacker and is now vice president, cloud solutions for identity and data protection at Gemalto, echoes this thinking: “IoT is going to be the next ‘Black Swan’ environment. Around about ten years ago, the industry was kind of getting there in terms of understanding the risks it faced and developing appropriate solutions. The environment that we’re in now with the cloud is effectively turning the planet into one giant PC motherboard and that requires new thinking.”
He continues, “Ask any C-level exec what they want to protect and the answer will be ‘My business’. The problem is that ‘their business’ isn’t so much physical infrastructure or even IT systems anymore – it’s actually the data that their business runs on and some of that might be outside their direct control. Consider a remake of the film ‘Trading Places, where the plot revolved around speculators getting advanced access to production forecasts for Florida orange juice. Imagine what could happen now when masses of agricultural data is being gathered from multiple sources and from sensors in the ground and farm machinery – and it was that which was being hacked into and changed?”
Indeed, it’s the role – and vulnerability – of the ‘things’ themselves that is also causing significant concern, with some suppliers pushing the fact that their devices don’t have IP addresses. Richard Foggie from the UK’s Knowledge Transfer Network observes: “Multiple additional points of vulnerability increase the chances for security breaches exponentially. The UK’s smart meter roll-out, for example, will introduce up to 26 million potential nodes to attack a critical national infrastructure.” Getting people who are used to dealing with physical assets in the real world to think differently is an uphill struggle.
On the topic of risk itself, Tim McGarr, manager at the British Standards Institute’s (BSI) Governance and Resilience department, an organisation doing a lot to establish best practice in the Smart City area, comments, “Processes for managing risk have been defined for a long time. Different labels are used but broadly speaking they follow the same process as is used in International Standards whereby the context is established, and then risks are identified, analysed, evaluated and finally treated as necessary. However, the emerging IoT problems don’t come from issues with the process, they arise from people not assessing risk properly or not even doing any risk management.
He adds, “The massive projections for the IoT market and the rapidly decreasing cost of connectivity and sensors mean that developing ‘IoT enabled’ products is seen as a ‘no brainer’ with virtually no additional cost and large projected returns. As such, private and public bodies are rushing head-long into the ‘IoT market’ while putting little or no thought into the consequences of this. Subsequently, there is a steady stream of news about the result of this failure including insecure fridges, baby monitors, CCTV cameras, TVs etc, affecting organisations of all sizes and sectors including start-ups and the largest global organisations with long established governance frameworks.”
Again on the issue of human perceptions of risk, there’s also the all-important factor of where the actual buck – in more ways than one – might stop. As far as the pockets, reputations and even personal freedom of the executives involved in an M2M/IoT security failure are concerned, we have the role of the legal system to also consider.
Justin Tivey, legal director at international law firm Bond Dickinson LLP, comments, “In the UK and on a Europe-wide basis legislation in this area is relatively old – the UK’s Data Protection statute dates from 1998 and was itself an implementation of an EU Directive of 1995. Who is still using a computer that dates from then?”
Tivey continues: “Joking aside, this legislation still broadly works and the last two years have seen claims against businesses arising out of data loss, data errors, internet marketing and the right to be forgotten. However the complexities of the IoT, big data and M2M technology do mean that situations will arise which the Courts might find that current legislation struggles to cover. Legislation will be updated at some point, whether via the impending new EU Data Protection regime or even legislation originating in the UK if the next Government perceives that there’s need for the UK to be competitive in these technologies. Class action type law suits are possible even now in the UK. Claims across jurisdictions, even within the EU, are not feasible yet. We live in a connected world – but not that connected – legally at least.”
Jon Howes at Beecham Research concludes, “It’s a key prediction of many industry analysts that there will be massive class-action lawsuits against IoT organisations that do not protect their users against loss of data or malicious attacks against integrated systems. Whether it is a connected thermostat that locks out a heating system, or remotely accessed door locks that can be forced open, the reality is there are probably exploits in the field already.”
With the recent fine in the US of AT&T by the FCC of $25 million for numerous data breaches, both inside and outside the USA, those threats and their financial implications are getting closer every day.