Modern field guide to security and privacy

After botnet attacks, stakes rise for security in connected things

At the Security of Things Forum in Washington, cybersecurity experts addressed the challenges of securing the Internet of Things after hackers shut down large segments of the web by taking advantage of insecure connected devices.

|
Michael Bonfigli/The Christian Science Monitor
German cybersecurity consultant Ralph Langner of The Langner Group speaks at Passcode's "Security of Things" event in Washington on October 27, 2016.

Think the internet-connected devices plugged in at your office or home are safe from hackers? You might want to take another look.

After a recent cyberattack shuttered much of the web by turning insecure connected devices into a massive botnet, experts and policymakers worry that the so-called Internet of Things could be more vulnerable than ever.

That issue was a focal point of conversation at last week's Security of Things Forum in Washington, hosted by Passcode and The Security Ledger, where hackers, security researchers, and government officials warned of the risks of rapidly expanding connectivity, especially within the most critical industries and infrastructures. 

"Most people are under the complete illusion that, oh, they’ve got safety systems. Safety does not factor in security," said Ralph Langner, a well-known German security researcher, referring to systems designed to prevent shutdowns at power plants and chemical facilities. "High value targets must never be connected to the internet. Nobody connects a factory to the internet in order to be more secure."

The event took place a week after unknown attackers deployed the Mirai botnet, a malicious network made up of insecure routers, digital video recorders, and other insecure internet-connected products, to overwhelm internet performance firm Dyn with phony traffic. As a result, such popular sites as Netflix, Spotify, and Amazon were knocked offline for much of the day. 

Now, with as many as 30 billion devices set to come online by 2020, security experts who spoke at Security of Things Forum worried that attack could be another sign that hackers can take advantage of insecure Internet of Things gadgets to cause serious digital havoc. 

Here are some of the suggestions they made to secure physical devices coming online:

1. Out with the old, in with the new

It's not just hooking up everything cars and defibrillators to the web that creates security challenges: Many companies and US government agencies leave themselves vulnerable to hacks by running old systems and old code – including several federal data systems that recently turned 50.

"Legacy technologies tend to dominate simply because of size," said Anup Ghosh, chief executive officer of the cybersecurity company Invincea. "In the federal space, we’re deploying to agencies with 200,000 people. You can’t just snap your fingers and cover the department."

But that message doesn't seem to be getting through at critical infrastructure facilities, where old, insecure systems can be pervasive.

"It’s sort of like getting the guys from 1950 to hold hands and talk conversationally with someone born in 1990," says Stan Lowe, an executive adviser at Booz Allen Hamilton who helps develop cybersecurity strategies.

The solution, Mr. Lowe says, is to start over from scratch. 

“There’s no way to retrofit this stuff. We’re going to bolt on security around the old stuff,” he adds.

2. Cyber war is still in its 'teenage years'

December's digital attack against Ukraine's power grid that shut out the lights for more than 230,000 people – the first such hack to cut out power – served as another wake-up call proving hackers could soon commandeer critical infrastructure. 

But Mr. Langner, the German security researcher known for his early work on the Stuxnet cyberweapon says that attack had a lot to with human error, as operators did not shut off manual controls at the impacted facilities. 

"There is a legitimate command that allows you to manipulate the [power supply] via the network,” Mr. Langner said of the tactics that hackers purportedly used to shut down power systems. "You got to be a damn fool if you don’t disable that functionality. No super hacking involved here, no buffer overflow, you just need to understand how modern products work, you just need to understand the manual.”

That could be a significant problem, Langner says, since more states are getting access to destructive cyberweapons, and there are few international rules to regulate their use. 

"What we see today is like the teenage years of cyberconflict. It’s characterized by rude behavior," he said. "Those with the muscle are like teenagers. They’re checking out what they can do."

3. Don't disconnect

The distributed denial of service, or DDoS, attack that knocked out Netflix, Spotify, and other popular US websites on Oct. 21 might seem like a sign to unplug for a while. Not for Charley Snyder. The senior adviser at the Department of Defense has used similar cyberattacks to encourage the Pentagon to invite hackers to test its systems for software flaws in a public bug bounty program. 

"Too often, I think the government tries to wall itself off from the web," Mr. Snyder said. "That just doesn’t logically work."

Instead, Snyder said the success of the Hack the Pentagon program that invited 1,400 vetted security researchers to root out bugs in Defense Department systems – including an 18-year-old who just graduated high school – shows how helpful it can be to bring an outside set of eyes to security challenges.

"We have quite a big budget, we spend quite a bit on information technology, but it’s hard to know we have the eyeballs on the systems that they really deserve," he said. "If we could tap into thousands or tens of thousands of people across the country, that seems to be a really meaningful way to use this as a force multiplier."

That doesn't mean setting up US government bug bounties will be easy.

"There’s not really anything in my experience that’s as complex as how we secure systems and make them more resilient," said Leonard Bailey, a Special Counsel for National Security in the Department of Justice's Computer Crime and Intellectual Property Section.

But, he says, inviting hackers into the Justice Department to hear out their concerns about federal prosecution of computer crimes has pushed the relationship forward.

"That resulted in going from being yelled at to presenting at Black Hat [hacker conference in Las Vegas]," he said.  

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to After botnet attacks, stakes rise for security in connected things
Read this article in
https://www.csmonitor.com/World/Passcode/2016/1031/After-botnet-attacks-stakes-rise-for-security-in-connected-things
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe