Some stunning things have happened in the past year. Cars were remotely hacked and run off the road. Thieves digitally stole cars in volume, at night, and loaded them onto container ships before owners woke in the morning—with the high-end cars stolen through security mistakes in keyless entry and keyless start systems. Hospital IV drug pumps were wirelessly hacked for lethal dosing. Other hospitals were infected by malware through surprisingly vulnerable MRI machines and X-ray machines. Malware infections even forced the temporary shutdown of some hospitals. Cyber attacks damaged things as substantial as the blast furnace of a steel mill. Dozens of U.S. critical infrastructure sites were infected to their roots. and an oil pipeline was hacked, yielding a 3 kiloton pipeline explosion. The Ukrainian power grid crashed after a cyber intrusion.
We bet our lives on countless smart technologies every day. Our cars, hospitals, traffic lights, and aircraft are the most obvious examples of increasingly connected systems, constantly optimized through remote management. Imagine the world’s population tripling again without software driven and Internet-connected “zero-emission vehicles.” Smart, connected technologies are helping bring about medical miracles and save lives. Do we depend any less on the power grid, manufacturing, and water treatment plants? These systems deserve security.
However, with so many important systems hacked, and so much needlessly endangered, it doesn’t need to be like this. Technologies to solve these problems exist. Companies making cars, medical devices, and industrial equipment simply need to be more disciplined about integrating the security technologies that can protect their devices, and protect their customers. These companies are no longer without adequate guidance on how to build in effective security. The U.S. Department of Homeland Security (DHS) has published guidelines on Security Tenets for Life Critical Embedded Systems (LCES). Other organizations, like Online Web Application Security Project (OWASP) and Online Trust Authority (OTA), have published similar guidelines for IOT. Symantec has published an IoT Reference Architecture for IoT Security. Several guidelines exist now, from many sources.
Of course, companies face many challenges building security into their systems. Most notably, new models of things like cars and medical equipment do not come to market overnight. However, unless companies hear customers insisting on security, then these “things” will not get security quickly enough. Fortunately, customers are already starting to speak through their buying behaviors. Customers often rank security and privacy as top reasons for not buying smart, Internet-connected products. In this context, some but not many companies have already begun to change their engineering practices, building more security into connected cars, medical, industrial, and home automation equipment.
This doesn’t require undue spending on security. For security to be affordable, it needs to be a small slice of the costs for each of these devices. For a car, a few technologies totaling less than $20 would be less than one tenth of one percent of the total price of a car. For million dollar MRI machines, it would be even less. Still, it has to be spent effectively, and to do so, the companies making “things” have to know that their customers really care about security of these devices.
Without transparency, customers have no way to know which products are relatively secure, and which aren’t. Some very trusted brands have been responsible for some of the biggest security gaffes of the past few years. For most products, like cars and home security systems, there is no transparency on the actual types and level of security built into these things, and no rules on how such companies can claim products to be “secure.” Experts are working to set guidelines and fair testing means by which security ratings, rankings, seals or stamps of approval can be earned. However, that will take time, and until then, we’re all at risk until customers have more information on which to base buying decisions.
Failure to build based upon an established set of security guidelines should be a red flag to any customer. Consumers can make a difference. You can help drive companies making Internet-connected devices to disclose whether or not they’ve built their devices to any set of security guidelines. Simply ask them to do so.
Not only do our lives depend on our cars and medical equipment, but every day we depend on the connected industrial equipment delivering water and power, heating and cooling, and light, not to mention our dependence on manufacturing and logistics infrastructure, as well as countless new security and automation products for our homes. Without adequate security, we’ll be at the whims of criminals and terrorists who are able to figure out what others have done, before we, as a society, are able to fix it. We can fix it now. These devices deserve security. Our lives deserve security. Let’s start asking the companies making these devices to begin disclosing the security guidelines they’re following, if any, to protect us.
