September 28th, in California SB 327 was signed by the governor, thus becoming the first law of this kind in the United States that imposes provisions on the security of production of the Internet of Things (IoT) (a similar, though more extensive, federal account known as the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is still with the internal security committee and government affairs, and I have not seen any recent activity on its development).
The new California law states that connected devices must be manufactured with "reasonable" security features. This means that IoT device manufacturers may have to start providing exclusive preprogrammed device passwords (instead of pre-defined passwords) or embedding functions that force users to authenticate before access is granted to the device for the first time.
Existing California law already forces companies to implement and maintain reasonable IT security procedures appropriate to the nature of the data collected, but the new legislation applies specifically to "things". I have seen critics of the new law stress that the requirements are vague, neglect cryptography and not addressing the underlying bad practices that are fueling the problem.
But practically everyone agrees that there is a problem.
Poorly protected IoT devices have powered the Mirai botnet used in the destructive Dyn cyberattack of 2016 and countless other cybersecurity nightmares. In recent weeks, it has been reported that a new botnet Hakai IoT "It's becoming a looming and imminent threat" that has even generated "two different Hakai-based variants" of malware spreading online. And these robots are largely powered by hijacked IoT devices.
If the California law, which will come into force in 2020, will have a major impact on the problem or not, it remains to be seen, but points out that people outside the information security sector are now also worried about the security of " things "and the implications of living in our" intelligent "and connected world.
While botnets like Mirai are largely powered by IoT devices expropriated and used for denial-of-service attacks, the reasons behind Internet of Things (IIoT) computer threats can be much more threatening to results. of a company. I see particular weaknesses in the IIoT-enabled manufacturing industry, for example, where Industry 4.0 has encouraged a massive integration of IT systems, devices and cloud resources in the supply chain – and now both operational capacity and intellectual property are at stake.
The recent 2018 Spotlight report on production& nbsp; from Vectra has suggested that manufacturing industry suffers an excessive volume of malicious internal network activity, sideways movement and reconnaissance activities (although they are an IT security company); Deloitte also touched on these vulnerabilities in a recent one article. This would indicate that the attackers have already infiltrated these networks and are sacking for critical resources or attempting to destroy the infrastructure. Attackers could easily gain access to these networks through an imprudent distribution of unprotected and weak (or non-existent) internal controls on the network.
Laws that widely apply best device security best practices can present a solution to this problem, but assistance could come from more innovative quarters.
Blockchain technology, which functions as a distributed database that cryptographically and immutably records every "block" of data moving through a system, could point to a safer future for our connected devices. Blockchain is difficult to fake. Its peer-to-peer, decentralized and consensus-based structure theoretically makes hacking more difficult. C & # 39; is, according to my observation, essentially no central control to be broken or authenticator to deceive.
For example, an attacker could digitally force entry into an unsafe IIoT router in a company. But attempts to use that entry point to manipulate or interact with other nodes in the network could be thwarted into a blockchain model. In that case, the hash record of the attached router would no longer match the others on the network and could not obtain consent verification.
Lots of preliminary small-scale research – & nbsp; including a 2018 & nbsp;revision& nbsp; (registration required) on IoT security issues and a 2017 & nbsp;topic of study& nbsp; (registration required) on blockchain security for smart homes & nbsp; – is in progress and & nbsp;consortia they have already been trained, trying to apply blockchain security to the IoT and IIoT networks. But a viable implementation has not yet emerged. Technology leaders and innovators who wish to further deepen the environment would do well to explore the Hyperledger or Ethereum communities to stay abreast of emerging capabilities and concept demonstrations.
Blockchain is still a relatively young technology, and currently faces scale and speed limitations that are essential in modern IIoT implementations – but the model demonstrates this. I believe that anyone who discovers alternative solutions to these limits can earn a fortune and the grateful acknowledgment of a million IT managers.
And solutions that follow a similar logic deserve our consideration. The idea of abandoning traditional client-server paradigms to foil those who have become experts in subverting them may be the only choice for the future. In the meantime, I believe the best way to mitigate security problems is to put network security into practice & nbsp; (like the practices delineated from the US IT Emergency Preparation Program): conduct regular audits, manage and monitor access, use stratified defenses and so on. Too few of us actually do it, and the attackers know it.
One thing is certain: the way we are doing "things" is now too risky. Regardless of what legislators do or do not do about the security of devices, the industrial internet of things must increase the threat.
Do I qualify?
">
On September 28th, the SB 327 of California was signed by the governor, making it the first law of this type in the United States that imposes provisions on the security of production of the Internet of Things (IoT) (a similar, though more extensive , the bill known as the Internet of Things (IoT) The Cybersecurity Improvement Act of 2017 is still present with the Committee on Internal Security and Government Affairs and I have not seen any recent activity on its development).
The new California law states that connected devices must be manufactured with "reasonable" security features. This means that IoT device manufacturers may have to start providing exclusive preprogrammed device passwords (instead of pre-defined passwords) or embedding functions that force users to authenticate before access is granted to the device for the first time.
The current Californian law already forces companies to implement and maintain reasonable IT security procedures appropriate to the nature of the data collected, but the new legislation applies specifically to "things". I have seen critics of the new law stressing that the requirements are vague, neglecting cryptography and not addressing the underlying bad practices that are fueling the problem.
But practically everyone agrees that there is a problem.
Poorly protected IoT devices have powered the Mirai botnet used in the destructive cyber attack of 2007 and countless other nightmares related to computer security. In recent weeks it has been reported that a new Hakai IoT botnet "is becoming a looming and imminent threat" that has even generated "two different Hakai-based variants" of malware spreading online. And these robots are largely powered by hijacked IoT devices.
If the California law, which will come into force in 2020, will have a major impact on the problem or not, it remains to be seen, but points out that people outside the information security sector are now also worried about the security of " things "and the implications of living in our" intelligent "and connected world.
While botnets like Mirai are largely powered by IoT devices expropriated and used for denial-of-service attacks, the reasons behind Internet of Things (IIoT) computer threats can be much more threatening to results. of a company. I see particular weaknesses in the IIoT-enabled manufacturing industry, for example, where Industry 4.0 has encouraged a massive integration of IT systems, devices and cloud resources into the supply chain – and now both operational capacity and intellectual property are at stake.
The recent 2018 Vectra production Spotlight Report suggested that manufacturing industry suffer from excessive volume of malicious internal network activity, sideways movements and reconnaissance activities (although they are an IT security company); Deloitte also touched on these vulnerabilities in a recent article. This would indicate that the attackers have already infiltrated these networks and are sacking for critical resources or attempting to destroy the infrastructure. Attackers could easily gain access to these networks through an imprudent distribution of unprotected and weak (or non-existent) internal controls on the network.
Laws that widely apply best device security best practices can present a solution to this problem, but assistance could come from more innovative quarters.
Blockchain technology, which functions as a distributed database that cryptographically and immutably records every "block" of data moving through a system, could point to a safer future for our connected devices. Blockchain is difficult to fake. Its peer-to-peer, decentralized and consensus-based structure theoretically makes hacking more difficult. C & # 39; is, according to my observation, essentially no central control to be broken or authenticator to deceive.
For example, an attacker could digitally force entry into an unsafe IIoT router in a company. But attempts to use that entry point to manipulate or interact with other nodes in the network could be thwarted into a blockchain model. In that case, the hash record of the attached router would no longer match the others on the network and could not obtain consent verification.
There is a lot of preliminary research on a smaller scale – including a revision of 2018 (registration request for IoT security issues and a case study 2017 (registration request for blockchain security for smart homes) – and consortia have already been set up they try to apply blockchain security to the IoT and IIoT networks, but a viable implementation has not yet emerged Technological leaders and innovators who wish to further deepen the environment would do well to explore the Hyperledger or Ethereum communities to stay step with emerging skills and concept demonstrations.
Blockchain is still a relatively young technology, and currently faces scale and speed limitations that are essential in modern IIoT implementations – but the model demonstrates this. I believe that anyone who discovers alternative solutions to these limits can earn a fortune and the grateful acknowledgment of a million IT managers.
And solutions that follow a similar logic deserve our consideration. The idea of abandoning traditional client-server paradigms to foil those who have become experts in subverting them may be the only choice for the future. In the meantime, I believe that the best way to mitigate security problems is to practice network security (such as the practices outlined in the United States' IT preparedness preparation program): conduct regular audits, manage and monitor access. , use stratified defenses and so on. Too few of us actually do it, and the attackers know it.
One thing is certain: the way we are doing "things" is now too risky. Regardless of what legislators do or do not do about the security of devices, the industrial internet of things must increase the threat.