However, that is a scenario for the future. In today’s world, we probably shouldn’t be as concerned about the smart robots as we should be about the dumb ones.
Computers already control a great many things that can hurt people, including trains, pipeline controls, automobiles, manufacturing robots, oil drilling equipment and even autopilot systems on commercial airliners. SCADA systems were the first IoT. They still run most modern drilling platforms, ship navigation and automation, and the drilling equipment that drills wells in ultra-deep water. The risk associated with computer-controlled systems has also been prevalent for a long time. In 1982, a well-placed bug hidden in the systems control bus of a series of pumps caused the Trans-Siberian pipeline to explode.
I wasn’t always a cuddly cybersecurity expert. Seven years ago, I was on an oil exploration and drilling rig running communications and networking for an ultra-deep water drilling project. Cybersecurity on the platform was an afterthought because it was 200 miles from the nearest land.
I had been invited for a helicopter trip out to the rig because it kept floating out of place while the team was attempting to drill a well two miles down in the ocean.
When companies drill in ultra-deep water, the “drill string,” which is the pipe that goes down to the bottom of the ocean, can be over a mile long. If the rig floats too far off-center, the subsea systems at the bottom of the drill string will literally break loose and create an explosion at the bottom of the ocean (think Deepwater Horizon.)
This is bad.
Because I had very little visibility into the network, it took me 72 sleepless hours to find the issue (since it costs $1-2 million a day to run/operate a drilling rig, the urgency was high.) It turns out that an oil rig worker had brought his mother’s old laptop on board. He had installed a wireless card into it and tried getting onto the web through the rig’s Wi-Fi connection to the satellite.
You can probably guess the rest of this story.
The computer, which hadn’t been patched in ages, had been infected with a worm that was so old that the new detection systems didn’t see it. The worm attacked the navigation computer, causing it to reboot over and over. And every time it rebooted, the rig would float out of place a bit before manual control could be taken. I managed to find the offending traffic with a sniffer and pull the laptop off the network.
The drilling company ended up installing a switch-like internal segmentation firewall that only allowed special applications, computers and users to talk to the navigation systems. Which, as it turns out, is a critical building block for developing the 20/20 network visibility necessary for establishing an intent-based network security posture.
Intent-based network security is a whole new paradigm for protecting networks. It is the merging of the security products directly into the network rather than bolting them on. This provides deep visibility and control into the network and enables security to automatically adapt to the way the network is being used. Networks are a tool. The classic model was that the network was mostly a hammer and every communications, application or information delivery method was a nail.
The advent of software-defined networking (SDN) is the first step towards evolving the way networks are used. Application routing and controls, the use of a deep packet engine in the delivery and categorization of traffic and the programmability of systems through APIs and automation has changed networking forever. But that is just the start. SDN is only version 1.0 of intent-based networking and security.
The next iteration will maintain a historical and baseline perspective of the network, take into account or even anticipate both behavior and known or metamorphic exploits, and then adapt automatically to changes.
This will allow a network to do things like automatically identify an IoT or RIoT (robust IoT, which is a mix of commercial devices like badge readers and industrial IoT like robot controls) device on the network, classify it, impose policies, track its behavior and normative values over time, and intervene should it begin to exhibit unexpected behavior.
For example, when someone installs a digital camera on their network, the network will automatically identify the device, apply appropriate policies for that device (for example, a digital camera should only transmit and receive data, but never request it), recognize when it starts doing something “uncamera-like” and then automate a response to alleviate the wrong behavior.
While we can certainly insist that IoT vendors do a better job at building security into their devices, legislating that camera manufacturers change the way they create devices will only produce the barest minimum of security measures. As with most attempts to legislate security, it will simply create a low bar that determined cybercriminals would still be able to jump over.
So, instead of complaining about bad manufacturers and the security of IoT, modern network admins should let the smart devices on their networks find those things that represent risk to the network and take appropriate measures. That way, only cybercriminals need to fear the robots.
This blog post originally appeared in IoT Agenda.