Billy Rios, Founder of WhiteScope LLC
Ryan O'Leary, VP Threat Research Center at WhiteHat Security
Rich Mason, President & Chief Security Officer, Critical Infrastructure
Josh Corman, Director, Cyber Statecraft Initiative at Atlantic Council
The Internet of Things (IoT) is rapidly changing the way we look at everything. The advantages we gain with smart devices are driving us to new levels of convenience in healthcare, manufacturing and automation, but IoT also presents many security challenges. The problem is, the average person simply is not aware of how real the potential damage is, and not just to large institutions, but to individuals like them. For example, last month, a luxury hotel was held hostage and all guests were locked out of their rooms until the hotel paid a ransom. So how do we regulate the IoT? How do we efficiently manage thousands of devices? How do we know what is trustworthy and what is not? And most of all, how do we do this at massive scale? This expert panel explores the challenges that we all face in this Wild West landscape of IoT and the solutions that we can implement today for a more secure future.
IoT security has been a challenge for some time. Chenxi pointed out that while nobody cared when refrigerators were sending spam, the recent Mirai attack that threw a million users off the Internet when cybercriminals hacked home routers made people suddenly take notice. Was this just the tip of the iceberg and a preview of worse things to come? Rich says that in the critical infrastructure sphere, though more so on the consumer side, in the next twelve months we’ll only be seeing a rise of ransomware. The worst to come in the medical sector, says Billy, is that someone – or some millions – is/are going to get killed.
Regarding Mirai, Josh mentioned the public policy implications, and said what was really worrisome in this attack was that the maintenance passwords in multi-million dollar devices are freely reachable from the Internet – and that’s the norm. Ryan added that the thing about IoT is that it’s difficult to test and therefore difficult for the industry to have standards around all these applications. IoT is a new way of interacting with things and it’s just another link in the chain in this ever-evolving landscape of moving technology in our everyday lives.
Chenxi asked about implementing minimal viable standards so that a device that fails those standards simply can’t come to market. The panel discussed making devices patchable – or at least labeled, like nutrition labels on foods so that consumers know what they’re getting. In the case of video games, popular music and movies, warnings labels were consumer driven, but unfortunately we’re not seeing a lot of consumer concern over IoT devices because they are still very ignorant about what can actually happen. You buy a smart security camera for your home and think that you’re safe, never understanding the risk you just opened yourself or your family – or even your community – up to.
Chenxi ended the panel on a lighter note by asking about the positive side of IoT. They all agreed that the devices that are coming out on the market and what they can do are pretty amazing; like medical devices or smart cars that factor out a lot (if not all) of the human error. But none of them could resist adding that although right now we still have a pretty good benefit-to-risk ratio, it’s definitely slipping away. What we need is not to slow innovation, but to implement conscientious innovation.
Watch the video of this panel discussion right here: Internet and the Insecurity of Things | A Live Experts Panel at RSAC and see some of the answers to questions asked during the panel.