Have you, like me, been bemused by the avalanche of news stories about the so-called "Internet of Things" (IoT)? "Things" have been connected for years. The problems occur when they allow unsecured access from the Internet.
Bloomberg, for example, recently headlined an article "How the Internet of Things Changes Everything." Of course, the headline was in boldface, 24-point type. You know, the typography you’d expect a World War to be announced in.
So what’s all the fuss about? Haven’t we always had things on our networks? In fact, until 20 or 25 years ago most of our networks were about connecting "things" -- PCs, terminals, servers, hosts, routers, printers, etc. People were an afterthought, really.
So let Bloomberg explain:
The Internet of Things refers to a dramatic development in the Internet's function: the fact that, even more than among people, it now enables communication among physical objects.
Oh, do they mean PCs talking to printers? Servers talking to routers? What are they talking about?
In fact, what all the noise is about is connecting everyday, generally non-IT, things to apps that either monitor, control, or do both from our mobile or wired platforms. And it’s that "non-IT" bit that appears to make the difference.
I mean, back in the 80s I could control my company’s phone switch from my desktop over the network, and I could monitor "punch-in" and "punch-out" on the factory floor time clocks from that same desktop over that same network. So it isn’t the fact of monitoring, or the fact of controlling or even the fact of using these applications over a network that has become all the rage.
What’s got some people over-the-moon giddy (and others seriously knicker-knotted) is that we’re now talking about connecting to cars, refrigerators, dog-collars, HVAC systems, toasters, entertainment services -- pretty much all the things we use each day whether we’re in the DC, in the kitchen, or visiting our favorite café. All these things that now come with both embedded systems and wireless (or, in some cases, wired) connectivity.
Sounds like it’s a good thing, right? So why are some people upset by it all? Well, there’s this headline: "Military hops on the 'Internet of Things'." Missiles and drones and tanks and planes -- want them controllable over the Internet? You know, the same Internet that sustains thousands of denial-of-service attacks and supports thousands of hacks every day.
But, you say, "I’m not in the military and no one wants to hack in to my toaster, do they?" Well, what is the business (or, reality check, businesses) your organization is involved in? As reported by EDN Network:
Embedded Networked Systems control an ever-increasing percentage of the modern industrial infrastructure. Smart energy grid installations, complex chemical processing and transport facilities, the multiple modes of our transportation infrastructure, as well as storage/access systems for personal medical and financial information all use complex embedded systems.
Currently it’s SCADA (supervisory control and data acquisition) systems that appear to be the focus of all the angst. Turns out people install these things in power plants, water purification systems, traffic control structures, and more. Just this past week the so-called Syrian Electronic Army claimed responsibility for launching a successful cyberattack on the main infrastructure system of Haifa, one of the most important ports in Israel, disrupting the operation of the servers in charge of urban management systems and public utilities in the city.
One of the big problems with these SCADA systems is that they’re not installed by IT departments, and they all come with default passwords that need to be changed as soon as (or, even better, just before) they’re brought online. So, yeah, getting users to change passwords is something we’ve all figured out how to do, right? Thought so.
How aware are you of all the embedded systems in your organization? Who has command and control of them? How secure are they from outside attacks?
OK, finished doing that survey, did you? All the embedded systems are accounted for and secured? Great, but you’re not finished. Remember all those BYO devices you’ve allowed on the network? How many of them have apps allowing their users to control their cars, homes, pets, etc.? And how many of those apps are a perfect conduit for crackers to infiltrate your network or, at a minimum, launch a phishing attack?
Now, don’t get me wrong, I think interconnecting everything is a good idea. But what’s really a great idea is interconnecting them securely. That can turn a sleepless night into a beauty rest.