In Part One of this Cybersecurity for IoT Blog Series, I noted that we should assume that everything will someday be connected—even those “things” designed without any networking capability. However, we should also be deliberate when deciding what to attach and what to isolate. When a link is established, we should know not only that a connection has been created, but also why, what risks will result, and how those risks will be managed. If connections must be made with care—or in some cases not at all—then why should we assume “things that can be connected will be connected?” It might initially appear that my proposed first and second laws of IoT contradict one another. I would argue against this conclusion.
Connections that enable functionality often also create complexity. This step should therefore be taken deliberately and with an eye towards weighing potential costs and benefits. Attacks have successfully been waged against power distribution networks in Ukraine and national retail payment systems in the U.S. These and other cases may have been preventable if decisions about whether and how to enable network connectivity—whether to isolate or segment key functions from each other—were fully considered in light of the attendant risks. As we noted in our White Paper on the IoT Threat Environment, “thinking in this way is important because a key activity in terms of both security best practices and compliance is to segment a network to separate systems with different trust levels and to implement a defense-in-depth strategy of layered security.”
We may very well decide that some things ought not to be tied to the Internet or to each other. But we should assume, given the rapid advancement and adoption of IoT, that they might very well be connected in the not-so-distant future.
Technology developed based on the faulty assumption of permanent separation will yield hidden vulnerabilities when it is almost inevitably connected. If we instead recognize that some “things” currently in isolation may someday be networked, we are then offered an opportunity to create contingency plans for security and pathways for updates that otherwise would not have existed. Then we must threat model the mechanisms used to deliver security patches and updates to manage the risks that they introduce.
The future will be full of connections that we cannot yet imagine. There are devices that will light up in new ways and fuel future innovations. We need to assume that anything networked can and will be internetworked. With that in mind, we may decide that some “things” might be better left isolated from the networks we create. Both the decision to connect or to contain a device or system should be made with consciousness of the risks so that we are prepared for eventualities in which the Second Law of IoT has been broken.
For more information about Cisco’s Data Protection and Privacy Program, visit trust.cisco.com.