In Part One of this Cybersecurity for IoT Blog Series, I noted that we should assume that everything will someday be connected—even those “things” designed without any networking capability. However, we should also be deliberate when deciding what to attach and what to isolate. When a link is established, we should know not only that a connection has been created, but also why, what risks will result, and how those risks will be managed. If connections must be made with care—or in some cases not at all—then why should we assume “things that can be connected will be connected?” It might initially appear that my proposed first and second laws of IoT contradict one another. I would argue against this conclusion.
Connections that enable functionality often also create complexity. This step should therefore be taken deliberately and with an eye towards weighing potential costs and benefits. Attacks have successfully been waged against power distribution networks in Ukraine and national retail payment systems in the U.S. These and other cases may have been preventable if decisions about whether and how to enable network connectivity—whether to isolate or segment key functions from each other—were fully considered in light of the attendant risks. As we noted in our White Paper on the IoT Threat Environment, “thinking in this way is important because a key activity in terms of both security best practices and compliance is to segment a network to separate systems with different trust levels and to implement a defense-in-depth strategy of layered security.”
We may very well decide that some things ought not to be tied to the Internet or to each other. But we should assume, given the rapid advancement and adoption of IoT, that they might very well be connected in the not-so-distant future.
Technology developed based on the faulty assumption of permanent separation will yield hidden vulnerabilities when it is almost inevitably connected. If we instead recognize that some “things” currently in isolation may someday be networked, we are then offered an opportunity to create contingency plans for security and pathways for updates that otherwise would not have existed. Then we must threat model the mechanisms used to deliver security patches and updates to manage the risks that they introduce.
The future will be full of connections that we cannot yet imagine. There are devices that will light up in new ways and fuel future innovations. We need to assume that anything networked can and will be internetworked. With that in mind, we may decide that some “things” might be better left isolated from the networks we create. Both the decision to connect or to contain a device or system should be made with consciousness of the risks so that we are prepared for eventualities in which the Second Law of IoT has been broken.
For more information about Cisco’s Data Protection and Privacy Program, visit trust.cisco.com.
Third law of IoT could be “Absolute security is an absolute myth”, aka “we can only raise the bar of security, but never be able to stop someone jumping over the bar”. On the contrary it just means we should be keep raising the bar of security.
Great idea! Underscores our messaging that security is a journey—not a destination.
That leads to the question “when do we have enough security”. And sadly, the answer will be given too often by the finance department …
The IoT will bring about a great reliance on Network Behavior Analysis tools to keep pace with the myriad of devices transmitting. We all can hope the NBA tools will continue to get better.
“Absolute security is an absolute myth”.
true !
As part of the Security & Trust Organization I have heightened awareness of the reality that not all things should be connected just because they can be. This plays out especially in my personal life. I am very aware of tracking capabilities and mega data information gathering available on my devices (my smart phone, Fitbit, and my car)… I only engage location services for things that are essential and sometimes for very short periods of time so that I’m (hopefully) less of a target for personal attacks and receiving less marketing spam than my hyper-connected neighbors.
Security is a big issue, we should concern it as integral part of any system. Moreover, we should clearly state the system is secure for what and against whom.
Best regards.
Here are Cisco’s comments to the US Department of Commerce’s National Telecommunications Infrastructure Administration regarding the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things”
https://www.ntia.doc.gov/files/ntia/publications/cisco_-_ntia_iot_comments_6-2-2016-c1.pdf