Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/20/2016
11:02 AM
Ned Miller
Ned Miller
Partner Perspectives
50%
50%

Why Arent We Talking More Proactively About Securing Smart Infrastructure?

Let's not perpetuate the vicious cycle of security complexity and failure by trying to bolt on security after the fact.

Cyberattacks against smart cars, smart homes, and other smart devices are happening today, so it is easy to jump to the conclusion that we will soon be reading about smart buildings and smart cities being attacked.

I have to admit I have become somewhat desensitized to the topic of cyberattacks against infrastructure. Maybe it’s because I see the industry and media classifying the security of smart infrastructure under the topic of securing the Internet of Things. When I hear about IoT attacks, it just hasn’t been personal enough for me to get fired up.

An Intel colleague, Lorie Wigle, head of Intel’s IoT strategy, recently described how technology will be part of climate change efforts. Whatever the carbon goal, renewable energy, energy efficiency, smart transportation, and smart buildings will all play critical roles. After reading her blog, I started noticing other articles covering everything from the latest connected car hacks to suspicions of rigged Internet-connected voting systems.

Maybe you remember a US government exercise from just a few years ago, when a team of hackers used a cyberattack to make an electrical generator motor self-destruct. Or the attack against the Ukrainian electric power grid, which put the US grid on high alert last year.

Recently, the US Transportation Department released the first national guidelines to spur development of autonomous-vehicle technologies and ensure their safety. The day before that, a group of researchers showed that it was possible to control an Internet-connected car from a distance. These researchers said they were able to take over numerous functions of a specific make and model from as far away as 12 miles, manipulating the vehicle’s controls via a laptop computer. They locked the car's control screens, moved seats, activated turn signals, and opened doors without keys. While the car was driving, they used the laptop to turn on windshield wipers, open the trunk, and fold in exterior rearview mirrors. A researcher in an office building also 12 miles from the test track was able to activate the car's brakes while the vehicle was moving.

A June 2016 survey conducted by Dimensional Research assessed cybersecurity challenges associated with smart city technologies by interviewing over 200 IT professionals working for state and local governments. When asked if a cyberattack targeting critical city infrastructure posed a threat to public safety, 88% of the respondents said yes. In addition, 78% of the respondents stated there would likely be a cyberattack against smart city services in 2016.

Smart cities use IT solutions to manage a wide range of city services, including smart power grids, transportation, surveillance cameras, wastewater treatment, and more. Navigant Research anticipates that global smart city technology revenue will reach $36.8 billion this year. Despite growing profitability in the sector, many cybersecurity experts are wary that smart city technologies are being adopted faster than the technology needed to protect them.

I started this blog asking a question: Why aren’t we talking more proactively about securing smart infrastructure? I’ll end it with a request for action: Get seriously involved now. Let’s not repeat the mistakes of the past and perpetuate the vicious cycle of security complexity and failure by trying to bolt on security after the fact.  Build in a sustainable defensive advantage as part of your security reference architecture as you build your smart ecosystems.

Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GIGABOB
50%
50%
GIGABOB,
User Rank: Apprentice
10/25/2016 | 11:20:45 AM
Secure the bits and avoid the bullets
I have noted for the past two years that cyber-threats grow more dangerous as we roll out and deploy insecure IoT infrastructrure.  I noted the rising vulnerabilty of device hijacking for DDOS attacks - and here we are.  I doubt these are state actors at this point, they are saving knowledge of these vulnerabilities for mass exploits as the first rounds fired in an opening attack will be bits not bullets sowing confusion.  When state actors emerge we will be well and truly screwed unless we act now to implement much more advanced device encryption, embed an internal device ID and develop a software framework for both the network fabric managing these devices and what they can be allowed to actuate.

This will add to IoT costs now, slowing deploymnet until these systems can be standardized and embedded in silicon.  Ultimately security is not cheap, whether it is for national defnse or local police or to avoid mass cyber attacks.  But as we have seen, the notion we could deploy simple cameras and toys with vestigal security has already come back to bite us.  We also know medical firms have deployed their devices with marginal security for pacemakers and deep brain stimulators for Parkinsons.  Guys, get a clue.
jeldredge
50%
50%
jeldredge,
User Rank: Apprentice
10/21/2016 | 11:16:58 AM
Smart Infrastructure
Neil, It is crazy how vulnerable smart infrastructure is to a cyber attack. I, like you, have become numb to the news about IoT attacks, but when you put those smaller attacks in to a larger perspecitve, the idea starts to hit close to home. I completely agree that we need to get seriously involved when it comes to securing smart infrastructure. This was a great post. www.spirentfederal.com.

 
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...