Security updates for the Internet of Things (part 1)

Part one of two - part two is available here.

A decade ago, managing security patches was not a top priority for most IT security personnel. Vulnerable systems were rarely updated and when they were it was an after thought. In the early 2000’s, most security professionals relied on network security to defend vulnerable systems and most assumed they could build strong defenses around vulnerable systems. There simply wasn’t heavy corporate governance or regulatory compliance for security patching because everything was assumed to be behind a security device like a VPN.

You only have to read the headlines from the past decade to see how this has worked out for Sony, Home Depot, Target, and Anthem. It didn’t, and over the last four years we’ve had a rude awakening that our IT departments are full of vulnerabilities waiting to be exploited. With the emergence of the Internet of Things (IoT), this problem is about to affect more than just data. Our medical devices, automobiles, and the various sensor networks that keep our society running present a whole new class of devices and systems that need to be patched frequently to protect against malicious attacks and data breaches.

Today, the absence of a robust security update process is simply not an option. The apprehension of leaving your system outdated with a known vulnerability is not misplaced: a potential attacker with malicious intent will search and identify vulnerabilities by scanning your networks and target the exposed and published almost in real-time. If you expose a vulnerable piece of software to the Internet, it is no longer a question of if -- it is a question of when someone will find an opening and own it. So who can blame the news media for the weekly hysteria driven by the never-ending stream of headlines related to security breaches. Every week it’s tens of millions of customer records compromised and billions of dollars of commerce being placed at risk.

Fast forward a decade and it won’t just be our wallets and our private information at risk. It will be our highways, our transportation networks, our point of sale terminals, our airlines, our stock exchanges, our power plants, our oil rigs, our military infrastructure, and the thousands of sensors that already drive our modern experience. If you think having your Outlook inbox hacked is bad, just wait a few years for things to get more interesting because IoT promises to bring everything online and it is happening a lot faster than most realize.

This increase in frequency of security breaches coupled with the growing connectivity of embedded devices focuses attention on security as the biggest concern for the Internet of Things. From large enterprises rolling out IoT initiatives to support billions of dollars in commerce to a home automation startup focused on improving energy efficiency, a single security incident will make or break these strategic initiatives. When millions of customers can be affected by an IoT security incident companies that move quickly to embrace IoT without a good strategy for security are putting the entire organization at risk. Given the high stakes, it is imperative that device owners build security from the ground up through intelligent design of both hardware and software systems. Those with malicious intent look for components with the largest attack surface - and without the proper designs in place, the potential top candidates for attack are field-deployed, embedded devices.

We’ve learned lessons in the data center that can now be applied to how we manage connected devices. Our industry has mastered techniques for managing hundreds of thousands of servers in data centers and achieving reliability measured in minutes of downtime a year and security compliance across large networks of connected machines within minutes of a vulnerability patch being available. While we’ve perfected these approaches, the new challenge is scaling these approaches to manage the billions of devices that will soon power much of our modern experience.

Enabling these devices to be updated with the latest security patches in a risk-reduced rollout plan is a requirement, but we also need to build systems that can be resilient to failure conditions. A server in the data center can be turned off and replaced, a field-deployed, embedded device requires a different set of solutions. There are a few obvious differences between traditional servers and embedded devices to keep in mind for context.