Further implications of securing the Internet of Things
In this short note, I want to raise some additional challenges the Internet of Things brings about such as the increasing the connections between security and safety, challenges with updates and maintenance of products, and nuances to the meaning of ownership of consumer products.
The Internet of Things is increasingly merging with safety and security issues. For instance, consider smart meter devices, which we are beginning to see in our homes with smart electricity infrastructures. We do not want such smart devices to leak personal data, or for malicious attackers to steal electricity, or enable a foreign power to threaten to turn them off causing blackouts or even cause fires to our homes. Similarly, medical devices, such as connectivity enabled medical implants, can be subject to attacks enabling an attacker to change dosage settings or even using medical devices as a gateway to attack hospital networks.
Achieving security and safety require cyber security mechanisms such as access control, cryptographic techniques and assurance mechanisms as well as standards for interoperability and testing equipment before installation. Furthermore, we also need to monitor devices and systems for vulnerabilities and enforce software updates to deal with both security as well as safety issues as and when they arise.
Software updates and updates for cyber security will need to move from monthly updates to software systems to updates for every day consumer products such as fridges and smart TVs to durable goods such as cars. This in turn raises further questions such as will approval for medical devices and cars depend in the future on being able to obtain regular software updates? A regular update cycle will be needed to minimise the amount of time the purchaser is exposed to attacks. Online software updates can also cut the costs of doing product recalls to fix safety problems. Rather than writing to millions of customers inviting them to bring their car in for repair, a repair can be downloaded over the air and installed next time the engine is turned on. However this implies that manufacturers of every day consumer products will need to support a patch cycle and the regulators need to remain steadfast in requiring dangerous problems to be fixed.
Regulatory process will need to include some form of independent penetration testing of products that contain software as part of the approval process. This would not be a bad thing and has been advocated for medical devices. However it is not simple. In a world of complex systems, inevitably there will be issues around the interaction between subsystems. It will not be enough for the vendors of individual products such as a car’s emergency braking or stability control to maintain and patch their components independently. It will not be sufficient to certify components, we will have to certify and monitor whole systems (we already certify a whole car, not just its brakes and steering). Certifying composite systems as secure poses some formidable challenges.
Consumers will need to be educated with the nuances in the notion of ownership of a consumer product in the new setting. Normally when we buy a consumer product, we assume that as owners we have the ability to modify the product the way we like. With software enabled devices, there will be restrictions as to what an owner can do and cannot do. Smart devices, with their software controlled by the manufacturer determining what the device does, the owner will not be able to control the product in the way he or she has done traditionally, even though they own the consumer product.
Hence with software enabled things and consumer devices in various business segments such as healthcare, utility, transport and energy, there is an increasing intersection of security and safety requirements and mechanisms. This means that security professionals are going to have to learn about safety and vice versa. This affects not only engineers, developers and testers but also regulators who set the standards. This will also lead to new research problems such as how to write software code for which security patches must be made available for the next 20 years for certain devices (e.g. a smart car sold today will need security patches for the next 20 years, who will provide them?) or even redefining certain trust issues in society (e.g. who and what are we trusting when the person buying a house from another person changes the smart electronic lock of the front door), as well as creating next generation regulatory institutions.
This will pose fascinating new problems in both engineering and economics.
RELATED MATERIAL
The Internet of Things and Security
Vijay Varadharajan is Global Innovation Chair Professor in Cyber Security at the University of Newcastle since March 2017. He is also the Director of Advanced Cyber Security Engineering Research Centre (ACSRC) at Newcastle. Previously he was Microsoft Chair Professor in Innovation in Computing at Macquarie University (2001 till March 2017). Before this he was Dean/Head of School of Computing and IT at University of Western Sydney (1996-2000).
Alan Douglas
July 21, 2017 at 10:05 am
I agree with what Vijay has to say – security is becoming a major issue. I have found in my work with a number of small businesses that many people are unaware and often uninterested in security matters. I have spoken to people who have signed blank contracts, have given their credit card details to complete strangers and have accepted as fact articles they see in print. These are not only people who have left school early but those in business. Many people seem to think that everyone is as honest as they are. Our software can be tightened up to the nth degree but this will not overcome what is, in effect, stupidity and laziness. Security is up to us – it is we who have to make the decision as to whether to open that email or go to that site. I know a lot of men (and a few women) at Melbourne PC User Group who regularly download pirate material even though most are aware that by contacting these sites they are opening their systems to exploitation.
I feel that we should spend more time and effort teaching school children about the problems of identity theft at the very least. We are all aware that the large sales organisations can fairly accurately assess our characteristics and personalities from a relatively small amount of data we give them (age, area, likes, dislikes, sex and marital status).
Human nature being what it is, I believe that computer security is an unachievable goal. At best we can only get close.