Internet of Things—The Fate We Make for Ourselves

The fantasy once associated with science fiction films is becoming increasingly similar to modern life.

The first Terminator movie introduced some cybersecurity concepts. In addition to introducing the topics of social engineering, vulnerability management and computer malware, the latest film in the saga has introduced the topic of the Internet of Things (IoT). These movies reflect the significant improvements in technologies used by businesses. As a result, there are some lessons that can be learned from looking at the Terminator movies, one of which is to have a proactive, rather than reactive, approach to security.

Back in the factual world, an exciting example of some of the latest development work can be seen in the research being carried out at Newcastle University (United Kingdom),¹ including:

• Ambulances interconnected to the traffic lights enabling more efficient and faster journeys²
• Touch- and temperature-sensitive bionic limbs³

Most IT security or information security professionals face the constant battle of explaining to their executives why it is important to spend sufficient money, time and resources on such things as securing systems and networks, vulnerability management, penetration testing, antivirus software, social engineering and security incident response. Security professionals also must try to maintain an understanding of and manage the new and emerging technologies being introduced to support an organisation’s efficiencies.

What type of dynamic, real-world technology advancements are happening? Presently, scientists are reporting the advancement and development of the following exciting technologies:⁴

• Emergent artificial intelligence (AI)—AI is the development of machines that can learn, adapt and respond to their environments. These machines are also known as ‘Intelligent Machines’.
• Sense-and-avoid drones—Remote-piloted drones that can fly themselves, without any remote assistance from a pilot sitting in a bunker somewhere piloting the drone via a joystick and monitor

All of a sudden, the far-fetched components of the Terminator movies do not appear to be so far-fetched after all. Add IoT into the equation, and the potential dangers become a great deal more serious.

Kevin Ashton, cofounder of the Auto-ID Center at the Massachusetts Institute of Technology (MIT) (Cambridge, Massachusetts, USA), is associated with coining the phrase ‘Internet of Things (IoT)’ while delivering a speech at Procter & Gamble.⁵ ‘If we had computers that knew everything there was to know about things—using data gathered without any help from us—we would be able to track and count everything and greatly reduce waste, loss and cost’, he said. ‘We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best’.⁶

The advancement of technologies means that the devices capable of interconnecting to share data have reduced in size and increased in capacity, ranging from the 3 gigabyte (GB) random access memory (RAM), 128 megabyte (MB) smart phone to a 768 GB RAM, 21 terabyte (TB) computer, or any physical item capable of being fitted with a microchip (even people, as is reported as being carried out by a Swedish company).⁷

Such devices are only going to improve their ability to interconnect and share data without the need for human interaction or control. There is also an increasing number of systems being insecurely developed. The volume of interconnected devices is predicted to be between 50 and 75 billion⁸ by 2020 and 70 percent of the world is expected to be using smart phones.⁹ Both businesses and individuals rely on such data-sharing devices. But lack of control and appreciation for ensuring that such devices are adequately protected, through technical controls, user education and policies, can result in significant IoT insecurity.

Although it is unlikely that there will be a global machine uprising, there are some lessons to be learned from science fiction long before it ever gets close to being a fact, especially given the strong benefits that are being speculated from incorporating AI technology into IoT devices. Acting now can reduce the impact from IoT-originated data breaches.

It has never been more important for organisations across the globe to work together to ensure that future advancements in technology are carried out safely and securely. The potential seriousness of the risk associated with IoT breaches is highlighted in US automaker Chrysler’s recent recall of more than 1.4 million vehicles¹⁰ after significant vulnerabilities were identified within the Uconnect system, an Internet-connected computer that controls such things as the onboard navigation, telephone and Wi-Fi hot spot systems. During a controlled experiment, attackers were able to hack into a Jeep Cherokee travelling at 70 mph. The attackers took control of the entertainment, air conditioning and acceleration systems, whilst highlighting that they even had the capability of tracking a vehicle via the global positioning system (GPS) and disabling the brakes.

Given such alarming developments, IoT data security/safety must be put at the forefront in business environments. Some of the recommended measures should include:

• Businesses recognising the importance for securing data devices, baselining themselves with suitable industry standards—These standards may include COBIT 5, ISO/IEC 27001:2013, the US National Institute of Standards and Technology’s (NIST) Cybersecurity Framework or NIST SP 800-53, to name a few. Businesses should also connect with reputable security services providers (e.g., consultancy, penetration testing, web application testing).

  The adoption of a suitable security standard provides a consistent benchmark that ensures that all systems, people and processes are the same (i.e., standard), which promotes improved safety and security. This concept is extremely important in support of the development of the IoT world, in which multiple interconnecting systems share significant amounts of data, as this process ensures that these connections are carried out safely and securely.

  It is useful to reference the series of articles written by the Council on Cyber Security,¹¹ providing further detailed advice on securing the IoT through the application of the Critical Security Controls for Cyber Defense¹²—in essence a robust foundation upon which to forge the basis of a compliance program.

• Vendors developing secure systems—Because of the urgency from vendors to develop and sell these new and emerging technologies, there has been little or no effort applied to ensuring that the systems were built securely. As the technology has advanced, the potential danger associated with these advanced data processing technologies has significantly increased. For example, take the latest smart phones. These phones have the capability of acting in the capacity of a temporary mobile portable desktop, accessing sensitive emails or downloading copies of sensitive documents. Yet how many of these devices have the capability to install a personal firewall, antimalware programs or operating system updates?

  All of these vulnerabilities are at the forefront of a hacker’s arsenal for attack. Given that it is highly likely that these devices will be included in 2020’s predicted 50-75 billion connected devices, it is extremely important that data and system security be placed at the forefront of any future technological advances.

  In addition, it is important that vendors realise the importance of ensuring that the psychological perspectives associated with the older generations’ use of technologies¹³ are factored into the design of such systems to provide ease of use and effective and integrated security measures.

• End users receiving security awareness training about the safe and secure use of the devices—The significant threats to data resources come from the end-user perspective, in which users carry out actions that undermine or bypass the security measures employed to protect both the device and the data within it. Ensuring that all end users are fully aware of the correct usage of devices becomes increasingly important when such devices are interconnecting, as in the world of IoT.

  It is important to remember that as technologies advance to meet IoT capabilities, human beings may not be able to respond as quickly to the new technologies, and more seasoned members of staff may need additional training in the correct and effective use of these devices.

• Security professionals maintaining their professional knowledge and awareness of emerging technologies and threats—This can include membership in professional bodies, formalised professional development programmes or other similar efforts. The appointment of suitably trained and experienced professionals within an organisation is critical to helping reduce the risk associated with the introduction of new technologies. They act as the linchpin between decision makers and end users, ensuring effective mentoring, risk identification and communication. To make this an effective service, it is essential that these specialist appointments maintain their professional knowledge so they can efficiently respond to the challenges associated with the dynamic world of new technologies.
• Global governments recognising the need to ensure data and device security by introducing appropriate legislation and awareness campaigns—Unfortunately, today’s world appears to be one of reaction and, as a result, the majority of organisations only react to technology-related issues in response to data breaches. There are limited legal requirements for businesses to ensure that technologies, usage and data are secure. With the introduction of more IoT technologies, it has never been more important for global governments to recognise the need to enforce the sensible use of such technologies, through the introduction of appropriate legislation. Without such legislation, there is nothing to incentivise businesses to operate their technologies responsibly.

  Much of the same happened with the advancement of the motor industry. In 1769, the first steam-powered vehicle was invented. However, in the United Kingdom, the requirement to have a license to drive was not introduced until 1903. By the early 1930s, there were more than 2.3 million motor vehicles on UK roads, and there were about 7,000 motor vehicle-related deaths each year. This caused the UK government to react with the introduction of the Road Traffic Act and the Highway Code.¹⁴ Lessons should be learned from the technological advancements in the motor industry so that similar mistakes do not occur with the technological advancements of the IoT.

All of the aforementioned measures will help to reduce the potential for IoT-associated data losses and minimise the potential for exploitation by an attacker. The following studies and reports show the existing vulnerabilities and sources of attack against existing technologies. They also demonstrate the importance and need for secure dynamic technologies and investment in the development of information systems (IS) security professionals and systems testing professionals, without which the potential benefits provided by the emerging IoT technologies will be undermined by reactive responses, resulting in some serious areas for concern in the future.

Figure 1 shows that the most significant threats are presented against external-facing web applications and from the insider misuse perspectives. Consequently, this demonstrates the need for ensuring systems are continually tested against exploitable vulnerabilities (before an unknown hostile exploits these vulnerabilities) and robust policies and procedures are in place to help reduce the threats presented from the insider (whether from a deliberate or accidental action).

Figure 2 provides an overview of the contributing factors that were seen to be behind the causes of a security incident. This clearly demonstrates that good security principles start with senior management endorsing and supporting good security practices.

The development of the IoT world will increasingly involve the use of mobile devices and, as a consequence, developers, vendors and end users need to be fully aware of the high risk of malware threats that could cause a breach, especially given the theme of IoT where millions of devices will be interconnecting and sharing data. Figure 3shows that even in the relatively immature mobile environment, a significant number of devices are getting infected—recorded as peaking at more than 60,000 devices during September and October 2014.

Figure 4 is the most disturbing of all the statistics discovered, given the rapidly evolving technology industries and the business reliance on such technologies. This technological evolution does not appear to be matched with the appointment of suitably trained and experienced information security professionals to proactively engage with businesses to mitigate the threats highlighted in figures 2 and 3.

Conclusion

If these trends continue in the same vein, there is substantial risk of technology advancing at a rate that creates billions of interconnected data-sharing devices (including intelligent machines/AI) with minimal security considerations being applied.

As a result, much like the Terminator movies, the development of the security industry can be likened to that of John Connor’s resistance. The future of a safe and secure technological world will rely on an under-resourced and outnumbered band of security professionals providing a reactive service, responding to increasing numbers of breaches.

If the world does not recognise these issues and act quickly to address them, we run the risk of fact becoming stranger than fiction. To quote the Terminator, ‘The future is not set. There is no fate but what we make for ourselves’.

Endnotes

¹ School of Electronic and Electrical Engineering, Communications, Sensors, Signal & Information Processing Research Group (ComS2IP), Newcastle University, United Kingdom, www.ncl.ac.uk/eee/research/groups/coms2ip/
² Knapton, S.; ‘Gadget Which Turns All Traffic Lights Green Trialled in UK’, The Telegraph, 3 April 2015,www.telegraph.co.uk/news/science/11512274/Gadget-which-turns-all-traffic-lights-green-trialled-in-UK.html
³ School of Electronic and Electrical Engineering, ‘Bionic hand that is ‘sensitive’ to touch and temperature’, Press Release, 24 February 2015, Newcastle University, United Kingdom, www.ncl.ac.uk/eee/about/news/item/bionic-hand-that-is-sensitive-to-touch-and-temperature-copy
⁴ Meyerson, Bernard; ‘Top 10 Emerging Technologies of 2015’, World Economic Forum, 4 March 2015,https://agenda.weforum.org/2015/03/top-10-emerging-technologies-of-2015-2/
⁵ Postcapes, ‘A Brief History of the Internet of Things’, http://postscapes.com/internet-of-things-history
⁶ ‘Internet of Things’, Techopedia, www.techopedia.com/definition/28247/internet-of-things-iot
⁷ BBC News, ‘Chip and Skin: The Office That Microchips Its Staff’, 29 January 2015,www.bbc.co.uk/news/technology-31037989
⁸ Danova, Tony; ‘Morgan Stanley: 75 Billion Devices Will Be Connected to the Internet of Things by 2020’, Business Insider, 2 October 2013, www.businessinsider.com/75-billion-devices-will-be-connected-to-the-internet-by-2020-2013-10?IR=T
⁹ Ericsson Mobility Report, ‘70% of the World Using Smartphones by 2020’, FutureTimeline.net, 26 June 2015,www.futuretimeline.net/blog/2015/06/26.htm#.VaasPWdFAfg
¹⁰ Fernandez, A.; ‘Fiat Chrysler Recall Highlights Potential Need for Regulatory Changes’, Gordon & Rees, 30 July 2015, www.privacydatabreach.com/category/internet-of-things/
¹¹ Council on Cyber Security, ‘A Look at Applying the 20 Critical Security Controls to the Internet of Things, Part 1’, 4 November 2014, www.counciloncybersecurity.org/articles/a-look-at-applying-the-20-critical-security-controls-to-the-internet-of-things-iot-part-1/; ‘A Look at Applying the 20 Critical Security Controls to the Internet of Things (IoT), Part 2—Technology’, 25 November 2014, www.counciloncybersecurity.org/articles/a-look-at-applying-the-20-critical-security-controls-to-the-internet-of-things-iot-part-2/; ‘IoT and the Critical Security Controls, Part 3—Technology’, 13 January 2015, www.counciloncybersecurity.org/articles/iot-and-the-critical-security-controls-part-3/; ‘Internet of Things and the Critical Security Controls, Part 4—Technology’, 20 February 2015,www.counciloncybersecurity.org/articles/internet-of-things-and-the-critical-security-controls-part-4/
¹² Council on Cyber Security, ‘The Critical Security Controls for Cyber Defense’, version 5.1
¹³ Rogers, Wendy A.; Arthur D. Fisk; ‘Toward a Psychological Science of Advanced Technology Design for Older Adults’, The Journals of Gerontology Series B: Psychological Sciences and Social Sciences, 65B(6), November 2010, p. 645–653, www.ncbi.nlm.nih.gov/pmc/articles/PMC2954331/
¹⁴ Driver & Vehicle Standards Agency, ‘History of road safety, The Highway Code and the driving test’, updated 26 March 2015, United Kingdom, www.gov.uk/government/publications/history-of-road-safety-and-the-driving-test/history-of-road-safety-the-highway-code-and-the-driving-test

Jim Seaman, CISM, CRISC, has enjoyed an extremely interesting and rewarding career within the security industry spanning almost 26 years. His career was forged in the application and enforcement of robust security and compliance legislation in the Royal Air Force Police over 22 years in the areas of physical security, counterterrorism and security intelligence. Since 2002, he has specialised in the field of information security management and investigations and cybersecurity. Over the last four years he has employed his skill sets, knowledge and experiences in the corporate sector across various industry sectors including financial, retail, oil and gas, UK government, travel, insurance, e-commerce and telecommunications.

[ISACA Journal]