The division between Internet of Things developers and IT and cybersecurity experts is one of the core problems in securing IoT devices, according to government and industry experts.
“We tend to divide our world up into different categories: mobile, cloud, IoT, [operational technology], IT. And, you know, I think that’s the basic problem,” said Ron Ross, fellow at the National Institute of Standards and Technology. Regardless of how they are classified, “they’re all computers, firmware, and software,” he said.
Robert Bigman, president of 2BSecure and the former chief information security officer at the CIA, agreed that IT departments and IoT developers rarely talk to each other, making it harder for cyber personnel to secure the connected devices.
“It is indeed harder to secure, especially for already deployed, smaller microprocessors, smaller odd protocol stack things that the IT organizations really have very little insight into,” Bigman said. He added that private and government consumers can’t always expect the IoT products they buy to have security built in when some of the processors in those devices are so small that they would break under the strain.
“It’s all about size and speed, and capacity,” said Bigman. “To hold IoT vendors responsible for security flaws without holding Microsoft or Red Hat for their flaws in their software is just, I think, absurd.”
Ross said that he favors a system much like the one that created car safety features, where innovation worked alongside free market regulation.
John McClurg, vice president and ambassador at large at Cylance, said that the U.S. should be aiming for some sort of coordination of security needs between developers and consumers.
“It’s perhaps quixotic at best and perhaps just foolhardy at worst to think that we’re maybe going to succeed in the front end at pulling in all of these various players into doing those things that we’ve been trying to get our larger corporations to do, but I think that’s really what we have to do,” said McClurg.
Kristen Baldwin, principal deputy to the deputy assistant secretary of defense for Systems Engineering at the Department of Defense, agreed with the need to work with developers to make IoT devices more secure.
“We want to take advantage of the benefits that IoT provides us in soldier health monitoring, helmet event data collection, facility security, logistics, and any kinds of asset tracking, inventory tracking, chain custody,” said Baldwin. “The challenge is…some of the concerns that have been discussed here today, how do we adopt engineering practice, how do we bridge IT security with the system design community?”
According to Ross, NIST is already beginning to look at systems differently to accommodate the unique nature of IoT.
“With IoT…we’re looking at systems now a little bit differently than we did before. We’re taking the notion of a general purpose information system, and now we’ve dropped the word information,” Ross said. “We’re just talking about systems. And systems really reflect computers today being pushed to the edge, where the edge is your toaster, your refrigerator, your automobile, a power plant, a medical device.”
“We need greater attention at the national level to this crisis, because I want it to be done before big groups of people start dying,” said Bigman. “And I’m serious about that, but, you know, the way the United States tends to work is when that incident happens, we’re really, really good after it. So I think we need national attention so that we’re really, really good before it.”