Blog Post

After Chinese hacks, how do we secure the Internet of Things?

Reading about the Chinese hackers hitting the U.S. Chamber of Commerce in Washington, D.C. I was struck by the last two paragraphs, which detailed how the hackers accessed the IP address of a thermostat — as well as the overall tone of resignation around preventing such attacks — and I wondered: How will we secure the web of things? Do we need to give up on the idea of perimeter based security on the web? From the Wall Street Journal article: (s wsj)

The Chamber continues to see suspicious activity, they say. A thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China, they say, and, in March, a printer used by Chamber executives spontaneously started printing pages with Chinese characters.

“It’s nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in,” said Mr. Chavern, the chief operating officer. “It’s the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again.”

In a way, this might be a healthier attitude than thinking you can build strong enough walls to keep hackers out; after all, those walls aren’t just composed of IT defenses but also rely on educating people on how to behave in the face of social-engineering tricks. As someone who locks her doors at night, and feels like keeping people out as opposed to just hoping that when people get in an alarm goes off, the mindset seems anxiety-producing. But the web, the cloud and the emerging network of connected devices isn’t as easy to defend as a home. There are no defined perimeters or limited access points, which means our IT security, legislation aimed at the web and burgeoning M2M networks need a different approach.

On the IT side, CloudPassage has built a service that’s an interesting approach to securing cloud resources while recognizing the impermanence and porous nature of the medium. It installs software on virtual machines that sends all security and compliance checks out to a separate cloud that then makes sure the traffic follows the rules. IT recognizes that securing thousands of virtual machines that pop up and go offline randomly has to take a different approach.

In government, where the Stop Online Piracy Act takes the Maginot Line approach to protecting IP on the web, alternatives such as the Online Protection & Enforcement of Digital Trade Act (which still has some well-documented issues) leans toward an approach that recognizes willful bad guys and leaves accidental infringers of copyright alone. Again, instead of building a wall that could keep everyone out –even legitimate businesses, activists and journalists — the OPEN approach tries to track bad actors but also offer a recourse to those accused of being a bad actor.

As for hacking thermostats, I’m not sure what type of security needs to protect our connected devices and networks, but it’s a question we should be addressing. After all, we have now seen hacked pacemakers, insulin pumps and thermostats. That’s unlikely to be the end of the list.

Image courtesy of The U.S. Army.

3 Responses to “After Chinese hacks, how do we secure the Internet of Things?”

  1. If want a secure network, you do not hook it to the web. Doesn’t keep viruses out, just ask the Iranians about their centrifuges!

    So much for remote access, but for household or business in-house electronic control systems it does provide security.

  2. I guess we can secure the web of things in the same way we make sure today you can’t access my company’s intranet, or you can’t see my ebanking transactions, or you can’t read my emails. We’ve been improving the security mechanism of all things on the web for the last 20 years, so why not leverage that and think about “futuristic” solutions. Sure not the best answer as these aren’t bullet-proof security mechanisms, but certainly “good enough for most uses”, so that would certainly be a good starting point to improve.

  3. Truly a heavy duty and pressing question. The US Chamber of Commerce admits they were hacked by someone with a China IP address – in May 2010. WTF?

    Did the C of C finally assure the Petroleum Club that none of their inside trading tips will have been revealed so they now have permission to release this info?