The most recent CIA Plus Meetup in Toronto touched on subjects that are becoming of prime concern to the security community. Entitled Who’s Big Brother and what is he watching? Privacy and security in the IoT era, the evening featured a keynote address from Faud Khan, CEO and CSA for Ottawa-based security consulting firm TwelveDot. His presentation was followed by a panel discussion with Sangam Manikkayam, principal security architect, Symantec Canada; Bob Martin, industry partner manager (IoT), Cisco Canada; and Victor Garcia, managing director for ABCLive Corporation and adjunct professor at the Schulich School of Business.
Khan provided an overview of the critical security challenges facing the industry today with the advancement of IoT. With commodity hardware, service analytics and cloud services, industry can quickly monetize ideas, he said. “But those ideas come with some danger.”
The danger is that many products and services are not tested for security; and many solution providers do not have even basic security policies or procedures in place, he stated. “Security and privacy are not key features to developers, and companies do not have the skill set to effectively evaluate new technologies. It’s all about usability and how people interact with them. But putting in a lot of IoT interfaces opens up new realms and [security risks].” To illustrate, he described a manufacturing facility he had worked with that was experiencing multiple failures. The culprit was malware in the firmware used on the machines.
A second concern, Khan noted, is that while organizations are moving at speed from a technology perspective, policies and procedures are not keeping pace. “Financial and training risks are not being considered when solutions are being developed.”
Ultimately organizations are underestimating the threat landscape at the network, application and device levels, Khan argued. But that will soon change. “If management doesn’t’ embrace or understand security, the new version of PIPEDA that is coming out will change that. You can’t dodge the bullet anymore.”
He also recommended that businesses become familiar with ISO 27000, a standard that offers a framework for thinking about security. “ISO 27000 deals with five concept around what you need to do in information security management.”
As management shifts its focus to create a cybersecurity culture, he said industry must concentrate on the following: identify data at risk and protect it; test and evaluate to determine potential outcomes and mitigation; assess and audit every major release at the network, device and application layers; and demand the same level of security from suppliers.
The panel discussion which followed kicked off by exploring how the security landscape has changed in the IoT era and what new risks organizations now face.
Victor Garcia argued that IoT has changed things dramatically due to new levels of complexity in terms of technology and issues. “IoT involves very complex systems that work together. You have to understand the implications in today’s world – whether it’s smart houses, cars or phones – each of these have created their own situations and issues.“
Bob Martin added that the complexity of risk in IoT requires industry partnerships. “No one is the be all and end all, so our role is to work with ecosystem partners. We see the IT world changing in terms of defining what is allowed on the network and what can be connected safely and securely.”
He later noted that partners have access to Cisco’s APIs. “Anybody can get access to this [our component] to make their product. Those interfaces allow partners to layer security on top of them.”
When asked to consider what traditional security approaches can be applied in an IoT context, Manikkayam, observed that the IT approach has been based on openness and commonly used protocols for operating systems and platforms. “You can buy a PC or Mac and install apps that come with security built on top of them.”
IoT devices, on the other hand, are “brainwashed” as they leave the factory. “You can’t do anything further with one unless the manufacturer changes it. Also, IoT has thousands of protocols in each vertical and these use different architectures, he said. Another problem is scale: a standard IT environment might have 20,000 to 100,000 devices, but with IoT, 100 million cars could serve as tomorrow’s attack surface.
One of the most compelling discussions of the evening emerged around the relationship between privacy and security. Garcia stressed that privacy and security are not the same thing, and may not coexist. “In today’s world, we have had to sacrifice privacy to protect the safety and security of people.” He referenced the Boston Marathon bombing as a prime example of how surveillance played a key role in apprehending the suspects.
He added: “We have to recognize we live in a different world. The Internet is not bound by national boundaries. We cannot protect privacy even when we try. When data is totally anonymised, it’s still possible to find out who you are. Having security does not guarantee privacy.”
Manikkayam said that this issue is magnified by the millions of IoT sensors in use today. “Sensors are invading places and spaces they were never able to before.” A key problem is that sensors in the field have to be low powered devices, which leads to additional security challenges. “IoT brings a lot of flexibility to deliver better outcomes. But security was not designed for an IoT world,” where low power devices do not have the compute capacity for security
Garcia’s final words of advice for IoT adopters was to make sure they keep abreast of what’s needed from a privacy and security perspective and aware of changes in the regulatory regime, such as the new British privacy law. In order to ensure “ethical management” of the business, “adopters need to be aware of that when developing solutions. They have to understand what the issues are. Governance is not about what everyone is doing, but about what they could be doing.”