Despite warnings from a number of industry analysts and vendors organizations still aren’t prepared for the security problems that the Internet of Things is bringing, says a senior Intel official.
“I think people are failing to plan or accommodate just how pervasive it will be,” Scott Montgomery, vice-president and chief technical strategist of Intel Security, said in an interview Tuesday. ”It’s going to create new attack vectors for adversaries.”
For example, he pointed out, in the U.S. alone the remote cardiac monitoring market will be worth US$1 billion this year, raising the spectre of an attacker holding a person wearing a pacemaker hostage. “It’s a scary implication,” he said, in part because health care practitioners aren’t concerned about the safety of approved devices, just about their patient’s care.
Similarly, he added, there was an attack by an unknown adversary that temporarily knocked out a power system in the Ukraine.
“I think organizations are failing to encompass in their planning just how many devices will wind up with an IP address,” he said.
The comments were part of a wide-ranging interview Montgomery gave to ITWorldCanada.com from Toronto, where he’s on a three-city roadshow (the others are Montreal and Ottawa) where officials from his division are speaking to partners and customers.
Intel Security is the McAfee products branch, responsible for endpoint, data leakage/classification tools, SIEM, network malware detection tools and intrusion prevention products. In fact Montgomery came to Intel when it bought McAfee in 2011.
As sales of PCs are slowing, Intel is shifting to focus on powering data centre infrastructure and the Internet of Things following a restructuring and the layoff of 12,000 announced last month. Although the data centre division pulled in US$4 billion in the first quarter compared to Intel Security’s US$537 million, the company has high hopes for security: Sales were up 5 per cent over the previous quarter and up 12 percent year-over-year.
Still that was after some pruning: Last fall Intel said it was ditching some products that weren’t selling well (including email security solutions) and sold its next-generation and enterprise firewall products to Ratheon/Websense.
The IoT is often on Montgomery’s mind, particularly in the context of the vulnerability of essential industrial infrastructure. Often news reports of attacks point fingers at foreign countries. But Montgomery says the focus is better spent on what went wrong rather that who allegedly did it. In a recent blog, for example, he suggested a high-profile U.S. indictment earlier this year alleging five Iranians were behind the online probing on a New York state dam was less important than the questions it raised: Why was the control system for the sluice gate connected directly to a cellular modem? Could the control system be separated from the Internet by a firewall? Could strong authentication mechanisms be employed rather than using a fixed password? Could the modem itself be configured in a way that either limits who could connect or how its services are advertised to the Internet?
“Most importantly, could we create a checklist that other technically limited critical infrastructure organizations could use to avoid their own disaster at snack time?”
There are constant complaints that manufacturers of IoT devices aren’t baking security into their products and only lately are focusing more attention on, which Montgomery partly agrees with. “This is an effort that should have been done eons ago,” he said. At the same time he noted Intel [Nasdaq: INTC] and a number of others are members of the two-year old Industrial Internet Consortium, which has published a reference architecture and is working on a common security framework. Intel is also a member of the fledgling Open Connectivity Foundation to help unify IoT standards, including guidance for best practices in creating secure APIs. Intel itself is also creating toolkits and frameworks for those who its chips in IoT devices.
Montgomery also insists that large industrial device makers such as Honeywell and Siemens are taking IoT security seriously. When Exxon Mobile recently put out an RFI for modernizing its physical infrastructure, he added, it included requirements for device safety, privacy and data visibility.
Ultimately, he said, “it will be dollars and cents” and not a sense that security is a good idea, that will drive manufacturers to improve IoT security.
The IP-enabelment of everything is one of two vulnerabilities he worries about. The other is what he broadly calls “data challenges,” meaning the failure of organizations to properly protect sensitive information.
“Organizations are a little bit lax in protecting the most valuable data assets with the most scrutiny. They kind of use a rollerbrush technique and try apply a one-size fits all.” Data classification “will allow them to be a little bit better prepared.”
Lines of business owners have to tell infosec teams what is real value in the data so IT knows where to marshal its resources, he says. After all, he argues, it’s unlikely CISOs can prevent breaches, so they have to best protect the corporate jewels.
Failure to do so is one of the two pre-breach mistakes infosec teams make, he says.
The biggest post-breach mistake failing to create a containment plan. “Most organizations spend all of their time on pre-breach planning and have nothing documented on post-breach …And what this leads to is timing chaos and organizational chaos.”