- Angela Orebaugh
We are on the brink of a disruption of the Internet as we know it. This next evolution of the Internet combines smart devices, cloud and big data analytics that will change our lives forever. Okay, maybe that's just the hype talking, but we are starting to see a number of innovative products that are providing more knowledge and convenience in our everyday lives.
Many of you have probably heard of the new era as the "Internet of Things," "Internet of Everything" or the less glamorous "cyber physical systems." The concept is that "things" can be connected, monitored and managed via small efficient processors to provide beneficial data and interaction with the physical world.
The Internet of Things is essentially a gateway between the digital world and the physical world. Some examples include smart thermostats, vehicles, smart meters, health and activity monitors and implantable medical devices. The devices interact using a variety of methods including RFID, Bluetooth, WI-Fi, Z-Wave and ZigBee. Both startups and large, established companies are creating new consumer smart devices and cyber-enabling physical systems in manufacturing, transportation and health care. Many reports have estimated several billion of these devices by 2015.
The power of the Internet of Things is in its ability to combine information from various devices and systems in novel ways to provide unprecedented insights and convenience. Synthesizing data from various sensors and systems is what makes Internet of Things a force for major change in that it may help us solve some of the biggest problems facing society, from minimizing power outages to easing traffic congestion. Ah, the power of synergy!
Despite the promise of the Internet of Things, when it comes to security, I am seeing history repeat itself. As a longtime security technologist, I've seen the evolution of once secure technology become connected to the Internet and targets for attackers -- first mainframes, then servers, desktops, VoIP and mobile devices. Next in line is the Internet of Things.
Angela Orebaugh, Fellow, Booz Allen Hamilton
- Leader in advancing continuous monitoring and security automation standards through the NIST guidance on continuous monitoring (SP800-137), which is used across the federal government and industry alike.
- Co-author and technical contributor to many NIST special publications including SP800-137, SP800-126, SP800-115, SP800-113, SP800-94, SP800-92 and SP800-77. Orebaugh also helped NIST write the voluntary security guidelines used by makers of electronic voting systems.
- Heads team of analysts who develop vulnerability content for the National Vulnerability Database (NVD), which is the main source of vulnerability data used globally.
Several attacks have already occurred on these types of devices. Parents heard a strange voice talking to their baby in her room and discovered that an attacker had remotely connected to the unsecured camera on their Foscam baby monitor. The security of Internet of Things was front and center at this year's Black Hat conference with successful demonstrations of hacking a smart lock, a smart TV and a car. The number of these devices connected to the Internet is growing, thus increasing possible attack vectors every day. The potential for an influx of devices increases the risk that the Internet of Things could distribute attacks far more widely than we have seen in other applications. These devices become the easy low hanging fruit for a wide range of attackers.
Outside of work
Apple or Android? Apple
Plan B: Professional conservationist
Security hero? Dorothy Denning
Two things people don't know about you: Art major in college, member of Charlottesville Derby Dames
How you unwind: Meditation and roller derby, but not at the same time
What keeps you up at night? Typically only my dog during a thunderstorm
Since the Internet of Things is still in the emerging phase, ensuring security and privacy is an important issue that must be addressed and resolved now. As security practitioners we are at a critical place to make a difference in the evolution of Internet of Things. We can be the evangelists for security-aware technologies and products in several ways:
- Implementer: If you are installing devices in your organization, incorporate the Internet of Things into your security policies and work with vendors to evaluate and improve their security features.
- Developer: If your product fits this category, take the necessary steps to ensure security is being built in using techniques such as secure development methods, secure operating systems and hardware security.
- Securer: If you work for a security company, start making strides in developing new approaches to Internet of Things threat monitoring and ways to detect and remediate attacks.
- Consumer: If you are an end consumer of devices, make sure you are purchasing devices with built-in security and let companies whose products lack security know why you haven't purchased their products. Most importantly, secure the devices you are purchasing. Change the default passwords and enable the security features. At a minimum, smart devices should include the ability for a strong password and encryption.
As security practitioners, let's work together to get ahead of this new era and ensure security is built into products so that when our lives do change forever, we can rest assured that all things are secure.
Dig Deeper on Emerging cyberattacks and threats
DFARS compliance targets 'controlled unclassified information'
Manage vendor access for industrial control systems security
A look at the development of an ICS security framework
The optional PCI DSS 3.0 requirements are about to become mandatory