Going back to school on IoT security – personal reflections from a cybersecurity product marketeer
Has anybody ever actively encouraged you to hack your own car? Did you know that hacking your car could mean diagnosing problems easily and for a lower cost than you would find at the local dealer? Did you know that the aviation industry has built in both safety and security from the ground up? How old, really, are the robots used in manufacturing plus the Operating Systems that control them (answer: some are older than the internet itself)? If this ignites your curiosity, read on. . .
On September 7 in Milan, Italy, the Politecnico University of Milan and Cisco brought together a group of expert panelists for the “Internet of Broken Things,” an event open to both students and industry. The goal was to discuss nascent cybersecurity issues for an ever increasing connected world. The expert panel included lawyers, professors, researchers, engineers and product marketing. This mix sounds a bit like the groups we have across the board at Cisco working on cybersecurity, and shows how cross-functional and cross-sector parties can be brought together effectively to solve difficult problems.
For me, as a Product Marketer, sitting side by side with IoT security researchers, entrepreneurs and law professionals brought me to the conclusion that the need for IoT cybersecurity is both far in the future as well as very relevant today.
For example, the ‘connected car’ is now making headlines. The “insider” secret that the manufacturers of connected cars don’t tell you is that cars have networks inside of them that run everything from RPM, anti-lock braking systems, radio and air conditioning. And it is possible to compromise all of these systems, even from something as simple as a wire in the brake light. The truth is that we have been hacking cars for years. Any owner who has ever eliminated the limits of their car’s allowed KPH or MPH is a “hacker.”
One thing to take comfort in is that, for all intents and purposes, it is possible to keep IoT security risks to a minimum by building in security and safety from the ground up. Interestingly, the aviation industry provides us with valuable best practice examples. Believe it or not, this industry has long been incorporating security and safety into the design of every aspect of the experience from the ground up. This may go unnoticed by the passengers and media coverage and the secrecy around the industry’s safety and security measures provide little supporting evidence. However, the airline industry pours incredible effort and resources into classification and management of different security threats. Put simply, they are absolutely obsessed over safety and security in every single process from conception of a plane on paper and route mapping all the way to a commercial flight.
Security should be built into all IoT connected things from conception through to production and delivery. But it is not yet the case.
Cisco is preparing for the reality of millions of connected devices that have not incorporated safety or security. Cisco has proposed a standards-based approach to IoT cybersecurity called the Manufacturing Usage Description (MUD), which is currently being reviewed by the IETF. A manufacturer should know what a device is intended to do; for example, a light bulb shouldn’t be communicating with a finance server, but it should be communicating with its controller. So the concept is to use the manufacturer’s product knowledge, expressed in an XML file, to create network policy that we can then enforce.
We are proposing that the IETF allow for an additional field in the DHCP protocol for a Universal Resource Identifier (URI). That URI points to the device manufacturer’s web site from which the network security controller pulls the XML file declaring the device’s appropriate usage. That usage file can then be merged with the existing network security policy and enforced. Because MUD will be standards-based, this functionality will be available to any network controller that adheres to the new standards; it’s not Cisco-proprietary. This approach provides another layer to a defense-in-depth strategy and means you don’t to have to rely on protection being built into IoT devices from the ground up to achieve basic IoT security.
In plain English: let’s automatically find out what a device should be allowed to do and enforce policies that prevent it from overstepping those limits.
MUD is the future – what about today? Today, Cisco is serving IoT customers with Jasper, Cisco Connected Factory, Smart Cities, Cisco Trust Anchor Technologies and Ruggedized Next Generation Firewalls to name a few specific offerings.
I wasn’t expecting that an event outside of Cisco, in a discussion around theory and unsolved IoT cybersecurity, could make me more confident in Cisco’s intense focus on its customers. Even in a space as cutting edge and forward-facing as IoT Security, we have the right team, the right focus, and the right principles to serve IoT customers today. Thanks to events like the Internet of Broken Things, we are also ensuring that industry and academia alike are working together to bring customers safely to the IoT of tomorrow.