The IoT grabs a foothold at RSA
Despite being aware of the annual RSA security conference, 2018 was the first year I was able to attend. As expected, several primary hot topic issues seemed to garner the most attention. Everything from compliance with the upcoming European Union General Data Protection Regulation (GDPR) to the future of Blockchain technologies to the incorporation of artificial intelligence (AI) were at the forefront of everyone’s minds. Although seemingly overshadowed by discussions and focus surrounding AI and machine learning, cybersecurity for the Internet of Things (IoT) had established a substantive presence at the conference. Proof of the visibility and resilience of this topic was the fact that a year-old story of a casino fish thermometer being compromised to access a high-roller database was frequently shared.
Cybersecurity gaps are a growing threat
While it’s no surprise that IoT devices have been taking hold in a wide range of markets for some time now, the security technologies applied to many of these components have unfortunately been an afterthought. Several speakers at the conference spoke of the dangers behind the traditional view of IoT security, with many manufacturers seeking to “connect first and secure later.” One of the primary motives behind these decisions is budgetary in nature. Security is not cheap or simple to implement and, at times, can appear mutually exclusive from convenience. Although baking security into the development of equipment is far simpler than bolting it on afterwards, many of the devices that comprise the IoT domain are legacy systems that have been in place for years. Applying security after the fact is not only more challenging but also more costly.
IoT Village highlights device vulnerabilities
In an effort to showcase the looming threats posed by insecure IoT devices, RSA regularly hosts various sandbox events. The security consulting and research firm Independent Security Evaluators (ISE) organizes one such event, called the IoT Village. In addition to drawing a large crowd, the IoT Village provided substantive exposure to a wide range of vulnerabilities present in many connected devices including webcams, routers, and even medical devices. Attendees were given a front row seat as security engineers walked them through a scenario of compromising the outdated firmware on a router with a customized scripted program, written to take advantage of the vulnerabilities of the router itself that were posted to the Common Vulnerabilities and Exposures (CVE) website. Through this exercise, ISE displayed the importance of ensuring devices are updated to help patch exploitable vulnerabilities as they are discovered. The IoT Village showcased a great deal of research and analysis on the impacts that such vulnerabilities can have on the consumer and enterprise markets alike and would be a worthwhile stop for future conference attendees.
Hackers are targeting industrial control systems
When it comes to IoT security, another primary target for criminals is Industrial Control Systems (ICS). RSAC 2018 provided insight into ICS security by hosting a standalone ICS Sandbox event. ICS equipment is responsible for managing and maintaining the various components of our critical infrastructure. As a result, these devices form the underlying backbone for our modern world. This fact makes these devices some of the most frequently targeted, and they pose some of the greatest risks if compromised. These devices include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), programmable logic controllers (PLCs), and many others.
The ICS Sandbox provided a more substantive look at the threats these devices face, as well as the implications of successful cyberattacks in the absence of an effective defensive strategy. Speakers at the conference provided comprehensive overviews of the strategies implemented to help protect critical infrastructure. For example, Devin Elmore, the Vice President and Program Director for National Cyber Programs at Parsons, discussed the importance of conducting a thorough audit of an ICS system, as well as the change control processes currently in place. In order to have an effective and comprehensive strategy to counter threats to an ICS, organizations need to think like those that would seek to do them harm and develop contingency plans to address the unthinkable.
The potential impacts of successful ICS exploits can be devastating on multiple fronts. Ed Cabrera, the Chief Cybersecurity Officer at Trend Micro, provided statistics from Information Technology Intelligence Consulting that calculated the expense of server downtime in 2017 to be roughly $8.5 million per hour. This complication is exacerbated by the fact that many of the security controls necessary to protect legacy ICS from would-be hackers could demand substantive system downtime to complete, thus adding even greater cost to the security effort. However, Cabrera suggested that through implementation of mature practices and policies, development of a sound strategic security foundation, designing a risk reducing architecture, and utilizing the National Institute of Science and Technology (NIST) cybersecurity framework, the risks to critical infrastructure can be more readily mitigated. It was obvious from the size of the crowd that this theme resonated among the attendees at ICS Sandbox and helped provide valuable insight into critical infrastructure security.
Automotive security gaining increased attention
The RSAC provided a new exhibit focusing on automotive IoT security, the Car Hacking Village Sandbox. The fusion of IoT device connectivity with automobiles has been taking place for years now, and with highly visible vulnerabilities exploited on the Jeep Cherokee still fresh in people’s minds, automotive security remains a critical safety concern. The more connected our cars become through remote diagnostics and telematics, the greater the opportunities available for potential compromise—the execution of a distributed denial-of-service (DDoS) attack on cars already on the road through vulnerabilities within their navigation or infotainment systems could create a nightmarish scenario.
The existence of these vulnerabilities was a common theme showcased at the sandbox. Sergey Kravchenko, Senior Business Development Manager at Kaspersky Lab, argued there are multiple reasons for the continued proliferation of these problems. The development lifecycle of OEMs can be as long as seven years, and with such a large number of suppliers, securing the equipment hasn’t traditionally been a priority. For example, in 2016, Kaspersky conducted a test on nine car apps for their reliance against various cyber-attacks, and none were secure. After one year’s time, the same apps were tested, as well as four additional applications. Unfortunately, a year later the original nine were still not secure, and of the four new applications tested, only one was protected against one form of attack.
In an effort to address many of the previously mentioned issues, Jeffrey Quesnelle, the Director of Software Development for Intrepid Control Systems, showcased the AUTOSAR consortium. Founded in 2003, AUTOSAR is a worldwide partnership defining software architecture standards for automotive security. Quesnelle projected that because of widespread market adoption since its inception, every car will have the AUTOSAR-based electronic control units (ECU) standard. Furthermore, AUTOSAR has a SecOC module that uses cryptographic primitives to ensure the integrity and authenticity of system messages to prevent man-in-the-middle and replay attacks. However, the Car Hacking Village Sandbox highlighted a similar theme as the ICS Sandbox—that the legacy systems that exist within automotive IoT are likely to remain the most targeted and vulnerable.
Although far from the primary focus of the conference, IoT cybersecurity had a respectable presence at RSA 2018. Many of the sponsors, speakers, and presenters recognized the true scope of the challenges of securing the IoT. Although limited to an isolated area of the conference grounds, there were multiple opportunities for attendees to gain valuable insight on the threats to IoT cybersecurity, as well as innovative solutions, services, and product offerings to address those very issues.
At the forefront of any discussion was the demand for comprehensive action in the face of the impending exponential growth in the volume of devices expected in the years to come. The estimated size of the IoT is projected to grow to 20–50 billion internet-connected devices by 2020. That would allow for more than three devices for every person on earth. This imminent scaling will provide countless opportunities for information collection, management, and analysis. However, without proper security controls and strategies in place, these systems could leave all who rely on them dangerously vulnerable.