Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
Safety,Security,andPrivacyThreatsPosedbyAcceleratingTrendsintheInternetofThings
KevinFu,TadayoshiKohno,DanielLopresti,ElizabethMynatt,KlaraNahrstedt,ShwetakPatel,
DebraRichardson,BenZorn
Abstract:TheInternetofThings(IoT)isalreadytransformingindustries,cities,andhomes.Theeconomicvalueofthistransformationacrossallindustriesisestimatedtobetrillionsofdollarsandthesocietalimpactonenergyefficiency,health,andproductivityareenormous.Alongsidepotentialbenefitsofinterconnectedsmartdevicescomesincreasedriskandpotentialforabusewhenembeddingsensingandintelligenceintoeverydevice.OneofthecoreproblemswiththeincreasingnumberofIoTdevicesistheincreasedcomplexitythatisrequiredtooperatethemsafelyandsecurely.Thisincreasedcomplexitycreatesnewsafety,security,privacy,andusabilitychallengesfarbeyondthedifficultchallengesindividualsfacejustsecuringasingledevice.Wehighlightsomeofthenegativetrendsthatsmartdevicesandcollectionsofdevicescauseandwearguethatissuesrelatedtosecurity,physicalsafety,privacy,andusabilityaretightlyinterconnectedandsolutionsthataddressallfoursimultaneouslyareneeded.Tightsafetyandsecuritystandardsforindividualdevicesbasedonexistingtechnologyareneeded.Likewiseresearchthatdeterminesthebestwayforindividualstoconfidentlymanagecollectionsofdevicesmustguidethefuturedeploymentsofsuchsystems.
IntroductionIncreasinglyweliveinaworldofconnectedsmartdevices.This“InternetofThings”(IoT)combinesdeviceswithsensorcapabilitiesandconnectivitytothecloudandallowsthemtoleverageartificialintelligence,machinelearning,andbigdataanalytics,sometimesdramaticallyincreasingtheircapabilities.Everydayusershaveprogressedfromhavingasinglehomecomputertoavarietyofdevicesthatareeachindividuallymanaged,whichcanbedifficult.Forexample,duetoconsumersfailingtochangethedefaultpassword,manybabymonitorsallowarbitrarystrangersonthewebtoviewunsuspectingpeople’shomes.Buttheproliferation,capabilities,andinterconnectednessofsmartdevicespresentdramaticnewopportunitiesandchallengesthatrequirenewresearchandindustryapproachestomakesuchsystemssafe,secure,effective,andusable.TheproblemissoacutethattheFBIrecentlyissuedapublicserviceannouncementsuggestingconsumersshould“IsolateIoTdevicesontheirownprotectednetworks”and“...beawareofthecapabilitiesofthedevices…”whichareexpectationshighlyunlikelytobefollowedinpractice.Inthispaper,wearguethatcollectionsofsmartdevicespresentnewchallengesthatrequireagreaterunderstandingofhowpeoplecaneffectivelyusesuchsystemsandadeeperinvestmentinpoliciesandtoolsthatgiveusersconfidenceinthem.Inparticular,issuesrelatedtosecurity,physicalsafety,privacy,andusabilityaretightlyinterconnectedandsolutionsthataddressallfoursimultaneouslyareneeded.TherehavebeennumerousestimatesoftheimpactoftheInternetofThingsontheeconomy,withestimatesthatthenumberofdeployeddeviceswillbe50billionbytheyear2020andthatthetotaleconomicimpactmaybeupto10trilliondollarsby2025.Wealreadyliveinaworldofinterconnecteddevices,withnumerouscompaniesofferingsmartdevicessuchassmartthermostats,smartdoorbells,etc.Intheso-calledIndustrialInternetofThingsandSmartCitiesinitiatives,factoriesandcitieswillbecomeinfiltratedwithinterconnectedsmartdevices,withlarge
2
projectedimprovementsinefficiencyandreliability.Forexample,hospitalshavebenefittedfromaproliferationofinterconnectedsensordevices,resultinginimprovedhealthoutcomesandlowercosts.Unfortunately,asthenumberandconnectivityofsuchdevicesincreases,thechallengeofmanagingthesecollectionsofdevicesbecomesexponentiallymoredifficult.Ifmanagingasinglehomecomputerisdifficultforanon-technicalperson,imaginewhatisneededtounderstandandcorrectlymanageanetworkofmanyinteractingdevices?Forexample,considerahypotheticalscenariowhereanAppleiPhone,aRingdoorbell,anAmazonEchoandanXboxworktogether.TheiPhoneisusedtheconfigurethemandtheEchoisusedtotoimplementvoicecommandssothat,forexample,ausercouldtellEchotoshowthevideofeedfromtheRingontheTVusingtheXbox.Anotherexamplecouldfocusonenergyusageandhomemonitoring.Smartwaterandelectricitymeterscouldcoordinatetomonitorandadjustwaterandpowerwhiledeterminingwhatpatternsofhomeactivitycorrelatetohighusage.Makingasingledevicesecureandsafeisalreadyadifficultproblem.Safetyissues,inparticular,areincreasinglyimportantforIoTsystemsastheyareusedtophysicallycontrolelectricaldeviceslikelightbulbsandheatingsystemsinbothhomesandinbusinesses.ThesafetyproblemsdiscoveredwiththeSamsungGalaxyNotesmartphonescatchingfireillustratethechallengesmakingdevicessafeevenwithoutanattackertryingtocauseharm.Makingthemsafeinthepresenceofanattackerisevenmoredifficultandrequiresrethinkinghowsuchdevicesaredesignedandtestedforsafety.TheconsequencesofhavingmanyinsecureindividualdevicesattachedtotheinternetwashighlightedrecentlywhentheMaraimalwarewasusedtocreatea380,000IoT-basedbotnetusedinamassivedistributeddenialofservice(DDOS)attack.Onlyamonthlater,amajorcyberattackharnessedtensofmillionsofmachines,includingalargenumberofIoTdevices,aimedattheInternet’sdomainnameserver(DNS)infrastructure,disruptinganumberofmajorserviceprovidersincludingTwitter,Netflix,Spotify,Airbnb,Reddit,Etsy,SoundCloudandTheNewYorkTimes.Asmoreinsecurenodesareattached,theleverageanattackergetsinusingthemincreases.Beyondtheexistingchallengesofsecuringindividualdevices,weneedtosimplifyhowpeopleinteractwithacollectionofdevicessothattheydon’thavetothinkabouteachdeviceandhowtheymightinteract.Forexample,withaniPhone,Echo,Ring,andXbox,whatinformationisbeingsharedbetweenthedevicesandwhataretheprivacypoliciesinplaceregardingwhatinformationfromaprivatehomecanbesenttothedifferentcompaniesandhowcanthisinformationbeused?Beyondprivacy,whatsecurityvulnerabilitiesdoesthisparticularcollectionofdevicescreateandwhatentityisresponsibleforinformingownersthatsuchvulnerabilitiesexist?Inmuchthesamewaythatoperatingsystemshaveevolvedtoallowindividualuserstoconfigureandmanagethem,newtechnologyisneededforuserstomoreeasilyunderstand,configure,andmanagetheircollectionsofdevices.Inthispaper,weconsidertwoscenarioswherecollectionsofdevicescreateopportunitiesandchallenges:interconnecteddevicesinasmarthomeanddevicecollectionsinhospitals.Bylookingatbothaconsumer-orientedscenarioandsafety-criticalcommercialapplications,wecanobservesimilaritiesanddifferencesintherequirementsforsuchsystems.
3
TheInternetcartoonJoyofTech'sinterpretationofthefutureofIoT
SmartDevicesinHomesDespitetheavailabilityofmanyconnectedsolutionsforthehome,therapidgrowthofthisspacehasoutpacedsecurityandprivacyresearch,regulatoryguidelines,discussionsonlongevityandsafety,andageneralunderstandingofhowsuchsystemsreflecthumanunderstandingandmentalmodels.However,theemergenceofscalablesmarthomesystemshasthepotentialtodirectlyimpactourdailylives.Thus,wepresentasetofopportunitiesandchallengesforcomputingresearchforsmarthometechnology.Withmoreandmoreconnectedappliancesappearingonthemarket—suchasJarden’sMr.Coffee™andCrock-Pot™—newphysicalsafetyhazardsemergeduetotheabilityforsoftwaretocontrolthesehigh-poweredloads.RecentworkhasshownthesafetyhazardsofsimpleWiFi-enabledappliancemodulesandlightbulbs.Analogoustomandatedsafetymeasuressuchaselectricalcircuitbreakers,GFCIswitches,andfire-ratedwallsthatprotectconsumersfromfaultsinhomeinfrastructure,smarthometechnologiesneedasimilarlayerofprotection.JustasNationalElectric
4
Codes(NEC)andNationalElectricalManufacturersAssociation(NEMA)existtoprovidesafetyguidelines,similarsafetyenforcementprocessesneedtoevolveforIoTappliancesinthehome.Buildingcodeswillalsoneedtoevolvetosupportemergingsmarthometechnologies.AddressingsafetyhazardsforhomeIoTdeviceswillrequireacoordinatedeffortbetweenthecomputingcommunityandtheDepartmentofHousing,FederalCommunicationsCommision(FCC),UnderwritersLaboratories(UL),andNationalInstitutesofStandardsandTechnology(NIST).Smarthometechnologies,andtheIoTingeneral,poseanewchallengeinabandonmentbymanufacturers,especiallyIoTstartupsthatmayintroduceaproductinthemarketandquicklygooutofbusinessorcompletelyabandonsupport.Thesesocalled“zombie”devicesremainonahomenetworkwithoutfuturesupportforsecurityandsafetypatches.Theserisksareproblematicfortechnologiesthatareintegratedintothehome’sinfrastructureorappliancesthatmayresideinthehomeformanyyears,creatingbothapolicyandatechnologychallenge.Thereisaneedforapproachestoeffectivelydetecttheseabandonedsystemsandmonitortheinteractionofthesedeviceswithotherplatforms.Theotherextremewouldbetorequiremanufacturerstoremotelydisablelegacydeviceswhensupportceases.SmartDevicesinHospitalsHospitals–andhealthcareingeneral–benefitgreatlyfromcomputation.Computationcanenablemoreaccurate,moreinformedpatientcareintheformofelectronicmedicalrecords.Computationenablesincreasedefficiencywithinhospitals,allowingasinglenursingstationtowirelesslymonitormanypatientsatonce.Forexample,anursingstationcouldremotely–andwirelessly–monitorthedrugpumpsdispensingdrugstoallthepatientswithintheircare.Computationevenoccursinsidepatients’bodiesintheformofwirelessimplantablemedicaldevices,likepacemakersandimplantablecardiacdefibrillators.Unfortunately,ithaslongbeenknownthatwiththeincreasedbenefitsofcomputationinhospitalsalsocomesthepotentialforpatientharmiftherearedefectsinthesystems’software.AcanonicalexampleisthatoftheTherac-25,aradiationtherapydevicefromthe1980sthatwasfoundtohaveasoftwaredefectthatcouldcausepatientstoreceiveapproximately100timestheradiationtherapythattheyweresupposedtoreceive.Thissoftwaredefect,humanfactors,andprojectmismanagementresultedinharmtopatients,andatleastseveraldeaths.Theseharmswerecausedbyaccident.Inthecybersecurityarena,wemustask:whatmightanintelligent,creativeadversarybeabletoaccomplish,andhowcanweprovideresiliencyagainstsuchanadversary.Thatadversarycanclearlycauseatleastasmuchharmasmightoccurbyaccident,andlikelymore,becausethatadversarycanforcethesystemsintotheirworst-possibleconfigurations.Moreover,duetotheincreasedpervasivenessofcomputationwithinthehealthcareenvironment,thepotentialattacksurfacetocyberadversariesisevengreatertodaythanitwasthe1980s.Acomprehensiveapproachtocybersecurityinhospitalsmustconsidereachofthecomputationaldeviceswithinthehospitals,aswellaswhatthosedevicesdependon.Forexample,cyberattacksagainstthehospital’spowerinfrastructurecouldsignificantlyimpactpatientcare.Cyberattacksagainstthehospital’swatersupplycouldalsosignificantlyimpactpatientcare.Therehavebeencaseswherehospitalservershavebeenshutdownbyransomware,therebyrequiringhealthcareproviderstoreverttopaper-basedrecords–somethingthatmanyyoungerhospitalstaffmightnotbetrainedtoworkwith.Buildingontheransomwarescenario,imaginetheimpactofevenmoremaliciousmalware,suchasmalwarethatintentionallymodifiespatientelectronicprescriptionsordosagesrecords,topossiblydangerousdrugsordruglevels.Onecansimilarlyimaginethepotentialimpactofcompromisinghospitaldevicesthatdirectlyimpactpatientcare,rangingfromcomputerizedradiationtherapydevicestothedevicesthatdoctorsusetowirelesslychangethe
5
settingsonimplantablemedicaldevices,likepacemakersandimplantabledrugpumps.Westressthatcybersecurityisaboutriskmanagement,andthatthesetofharmsthatmightbepossibleisoftengreaterthanthesetofharmsthatarelikelytooccurinpractice.Hospitals–andhealthcareingeneral–needtobevigilantinassessingthespectrumofpotentialharmssothattheyarenotsurprisedbyunexpectedimpacts,andthenrealisticaboutassessingtheactualriskoftheseharms.Securitybestpracticesshouldbeusedwheneverpossible.Forexample,devicesshouldnotusedefaultpasswords.And,whenpossible,ifadeviceisknowntohaveacybervulnerability,thenthatdeviceshouldreceiveasoftwareupdate.
SmartHealthintheHomeTheprevioustwoscenarioscombineininterestingwayswhenoneconsiderstheincreasinguseofhealthcaretechnologiesinthehome.Whethermotivatedbysustainingolderadultswishingto“ageinplace,”theincreasinguseofwearablesensors(nowoftenwornbeforeandaftersurgicaltreatment),ortheincreasinginterestinaccountablecareandtheneedtomonitorpatients“inthewild”tohelpensuretreatmentsuccess,digitaltechnologiesareseepingoutoftraditionalhealthcareenvironmentsandfindingtheirwaytotypicalhomes.Inthisperfectstorm,wenowhavethesafetyandsecurityvulnerabilitiescombinedastwosystems(homeandhealthcare)attempttoresideinthesamephysicalsettingandlikelyonthesamewirelessnetwork.Thehomebecomesabackdoorvulnerabilitytothehospitalandvisaversa.Whatisatstake,beyondsecurity,isthedesiredrelianceondatageneratedinthehometoinformhealthcaredecisionmaking.Thisdatacouldbeparamountinhelpingolderadultsavoidthecostsofinstitutionalcare,inhelpingpatientsundergoingtreatmenttostayoutofemergencyroomswhennotneeded,andgettingtothemwhencritical,andhelpingpatientswhoseillnessincludesenvironmentaltriggers(e.g.asthma)managetheirtreatmentandbehavioronadaytodaybasis.
ImplicationsoftheScenarios
SecurityandPhysicalSafetyThemostimportantrequirementforcollectionsofdevicesisthattheyguaranteephysicalsafetyandpersonalsecurity.Whiletherehasbeenagreatdealofresearchandcommercialinvestmentinpreventingcyberattacks,protectingcollectionsofdevicespresentsnewchallengesthathavenotbeenaddressed.Inparticular,theabilityofsmartdevicestocontrolphysicalaspectsoftheenvironment(suchasthehousetemperatureorwhetheradoorislocked)createspotentialattacksonanindividual’sphysicalsafetythatrequiresevenhigherlevelsofassurancethanexistingcyberattackcountermeasures.Thedistributedandinterconnectednatureofmultiplesystemspresentindevicecollectionsalsorequiresrethinkingofthebasicconceptofsecurityandsystemmanagement.Withouttakingamulti-systemview,securitytechniqueswillbeunabletoanticipateandcountervulnerabilitiesthatarisefromincorrectconfigurationsorattacksthatexploitvulnerabilitiesinthewaythatdevicesinteractwitheachotherandwithcomputinginthecloud.Becauseinteractingdeviceshavebeenpresentinhospitalsforsometime,andbecausehospitalsaresubjecttoregulatoryframeworksthatrequirehigherlevelsofcompliance,thehospitalscenarioformanagingcollectionsofsmartdevicesisbetterunderstood.Insightsbasedonthisexperienceinclude:(a)thelife-cycleofthedevice,includinghowsoftwareisupgraded,mustbetakenintoconsideration,(b)physicalaccessibilityofdevices,includingtheabilityforanintrudertoaccessinterfacessuchasUSBportsorWifinetworks,mustbecarefullycontrolled,and(c)theregulatory
6
frameworkaroundprivacymakesreasoningaboutwheredataiscollected,howitisshared,andwhereitisstoredverychallenging.Contrastingthetwoscenariosofdevicesinthehomeversusdevicesinahospital,wedrawseveralconclusions.First,differentdegreesofsecurityvettingandanalysisarerequiredforeachscenario.Therearealreadyregulatoryconstraintsonmedicaldevicesbuttheexplodingcomplexityandincreasingpotentialvulnerabilitiesrequirethoughtfulrevisitingofwhatlevelofcertificationisrequiredtoprovideappropriatelevelsofsecurityandsafetyassuranceforsuchapplications.TherecentnewsofsecurityvulnerabilitiesinSt.Judepacemakerdeviceshighlightsthechallengesindeterminingtherightlevelofcybersecurityassuranceneededforindividualdevicesandalsotheoverallcollectionofdevices.Likewise,hospitalswouldbemoreattractivetargetsforcoordinatedattacksakintocurrent“ransomware”attackscurrentlybeingconductedonhospitalelectronichealthrecord(EHR)systems.Second,whilehospitalsemployITprofessionalstomanagetheircollectionsofdevices,consumershavenosuchsupportbutaresubjectedtosimilarchallengingsystemcomplexity.TherecentreportfromtheCommissiononEnhancingNationalCybersecurityhighlightssimilarriskstosmallbusinessesthatcannotaffordanITstaff.Anyimprovementsinallowingindividualstounderstandandmanagesuchacollectionofdeviceswillbenefitbothscenariosbuttheconsumerscenariorequiresrethinkinghowsuchsystemscanbeexplainedintermsaccessibletoeverydayusers.
PrivacyPrivacyischallengingtounderstandandguaranteeinaworldwheremoreandmoresmartdevicescollectdata,shareit,andmonetizeit.Themodelthatsoftwareismonetizedbyadvertisingisbeingappliedatthedevicelevel.Manyfreesmartphoneappsalreadycollectdataattheuser’sexpenseandsellitinwaysthatarenotobviousorexplicittotheconsumer.Algorithmictechniquessuchasdifferentialprivacyprovidetheoreticalassurancestolimitingthepotentialimpactofdatasharing,butsuchtechniquesarerarelyusedinpracticeandasaresulttheprivacyimplicationsofincreasinglyintrusivesmartdevicesandsensorsareunknown.Thecomplexityofunderstandingtheprivacypolicyofasingleapplication,likeFacebook,canoverwhelmindividualusersandtheburdenofunderstandingsuchpoliciesforeverydeviceandapplicationbeingusedrequiresattentionandcomplexitybeyondmostpeople.Consider,then,thechallengeofunderstandingnotjustonedevicebutmanythatinteractincomplexways.Withoutnewmechanismsforexplainingwhatinformationisbeingcollectedandshared,notbyeachindividualdevice,butinaggregate,userswillbeunabletounderstandwhattheprivacyimplicationsoftheirchoicesare.Consider,forexample,buyingasmartfork(arealdevice).Howdoesaconsumerknowwhatinformationtheforkiscollecting(beyondcountingtheindividualforklifts,forexample)?Whatiftheconsumerthenbuysasmartplate?Cantheforkandplateexchangeinformation?Andifso,whatcanbeinferredfromthecombinationoftheinformationthatcan’tbedeterminedfromeitherdatasource?ConsiderforexampleanInternetTVserviceandasmartthermostat.Theuseofsmartphonestocontrolthesedevicescreatesdatatoidentifyindividualsinthehome.Thethermostatcanthenpinpointwhoiswhereinthehomeandwhen.AfewIoTdevicesinthehomecanlayoutaprettydetailedmapandtimelineofhomeactivities.InthehospitalsettingregulatorycompliancewithHIPPAandotherregulationsdetermineswhatislegalregardingdatacollectionandsharing.ThecomplexitiesofunderstandingwhetheraparticulardeviceconfigurationiscompliantreliesonthewisdomandunderstandingofITprofessionals.Asthecomplexityofdatabeingcollectedincreasesandthewaysitisusedbecomemorediverse,really
7
understandingtheprivacyimplicationsofaparticularconfigurationislikelytochallengeeventhebest-informedITprofessionals.Beyondunderstandingprivacyimplicationsofconnecteddevicesactingastheyareintended,theimplicationsofdatabreachesonprivacyduetosecurityvulnerabilitiesincreasesthecomplexityandriskinprovidingadequateprivacyguarantees.Fortunately,advancesinstoringandoperatingonencrypteddatawilllikelyprovidetechnicalsolutionstosomeofthechallengesofpreventingdatabreaches.Nevertheless,thepresenceofmaliciousstate-sponsoredactorsattackingtheprivacyofhigh-profileindividualsgreatlyincreasesthelevelofprotectionneededtoprovideoverallconfidenceinsuchsystems.Ultimately,socialengineeringattacksandattacksbasedoninadequatehumanunderstandingofthesesystemsremainsperhapsthegreatestchallengetoovercome.
UsabilityandtheUserExperienceWehavealreadymadethecasethattheabilityforprofessionalsorconsumerstounderstandandmanagecomplexsystemscreatessignificantvulnerabilitiestosecurity,safety,andprivacy.Toattackthisproblemtherearetwoapproaches:eithersimplifythesystemssufficientlythattheycanthenbeunderstood,orbuildbetterconceptualmodelsforusersandtoolstoreducetheburden.Duetothewidespreaduseofopen-sourcesoftwareincludingLinuxincreatingmanysmartdevices,theconfigurationofmanysmartdevicesisarcaneandassumessignificantexpertisetounderstandandmanage.Simplificationscanbemadebyreducingthenumberofchoicesandexposingtheconfigurationasa“wizard”buttherearelimitstowhatcanbeeliminated.Anothersimplificationistoexplicitlydisallowdevicesfrominteractingwitheachother.Whilethisschemereducesthemanagementburdenoftheuser,italsosignificantlyreducesthepotentialvalueofthesystem.Forexample,adevicethatdeterminesthatthereisnoonepresentinahousemightwanttocommunicatewiththedevicecontrollingagaragedoortocloseit,buttheirinteractionwouldbeprevented.Asanalternative,newapproachestohelpingindividualsseethebiggerpictureoftheirentiredevicecollectionispossible.Inparticular,a“devicedashboard”mightpresentaviewofallthedevices,howeachisconfigured,andhowtheyrelate.Suchaviewcanextendfamiliarconceptsthatusershaveinmanagingindividualcomputers,suchassecurityandprivacysettings,tounderstandingtheirentirenetwork.Withsuchanaggregateview,toolsthathelpuserstracktheconfiguration,suchasindividualsoftwareupdates,andguaranteethecurrentconfigurationissecurecanbedevelopedandmarketed.Understandinghowpeoplethinkabouttechnology,theirwillingnesstoadoptit,andtheirchallengesinmaintainingitneedstobeacriticalpartofsmartdeviceresearchandpolicygoingforward.Nolevelofsoftwaresecurityissufficientifthepersonconfiguringthesystemfailstoprovideadequatepasswordsorunderstandthatthesystemismisconfigured.HistoricallythehumandimensionofdesigncouldbeoffloadedtoexpertITprofessionalsbutincreasinglythesehardusabilityproblemsneedtobehandleddirectlybyconsumers.
RecommendationsBasedonthisdiscussion,werecommendthefollowingapproachtoexpandingtheresearchagendaandpolicyagendabasedonadvancesintheInternetofThingsandadhoccollectionsofsmartdevices.Broadconclusions
8
• Problemsofsecurity,privacyandusabilitycannotbeconsideredseparately-theyneedtobeconsideredtogetherandfederalinvestmentsshouldprioritizesolutionsthatfocusonaugmentingaperson’sabilitytounderstandandmanagecomplexsystems.
• Thepotentialforriskstophysicalsafetyrequiresthatminimumlevelsofcybersecurityassurancebedefinedandrequiredforwidespreaddevicedeployment.
• Milestonesmustbeestablishedfordeterminingthelevelofanalysisandtestingrequiredforsmartdeviceproducts(akintotargetedEPAemissionrequirements).Specificallyimprove:
• Thetransparencyofthesoftwarethedevicesarerunningforinspectionandanalysis
• Theleveloftestingandanalysisrequiredforcertification• Thelevelofhardeningofthecriticalcomponents(crypto,securecommunication,
secureupdatechannels)SecureandmanageindividualdevicesExistingeffortssuchastheCybersecurityAssuranceProgramandtheReportoftheCommissiononEnhancingNationalCybersecurityprovideguidelinesandrequirementstohelpensurethatindividualdevicesaresufficientlysecured.Beyondthecurrentinvestmentswerecommend:
• Revisingsafetyrequirementsforinternet-connectedelectricaldeviceswithanemphasisonadversarialthinking,inordertolimitthedamagethataremoteattackerwithharmfulintentisabletodo.
• Increasingtheemphasisonbuildingsoftwareandhardwarebasedonverifiedcomponents.Programverificationtechnologyisadvancingrapidlyandincreasinglycomplexsubsystems,suchascryptographicimplementationsshouldbedevelopedusingstateoftheartverificationtools.
• Increasingrequirementsforprogramanalysisandtestingtoolstocertifysoftwaredeploymentsinsmartdevices,withdifferentlevelsofanalysisrequireddependingonthedegreetowhichphysicalsafetymightbethreatenedbythedevice.
• Improvingsoftwareupdaterequirementsfordevicesthataredeployedtoallowsoftwaretobepatchedasnewvulnerabilitiesarediscovered.
• Updatingmechanismsthatareresistanttoexploitationusingstate-of-the-artencryption.• Creatingcradle-to-graverequirementsthatspecifywhathappenswhendevicesareno
longerbeingupdated,forexample,becausetothecompanyproducingthemwentoutofbusiness.
• Supportingresearchtohelpuserscorrectlymaintaintheirdevicesandsoftware.ManagingcollectionsofdevicesVerylittlehasbeenspecifiedregardingmanagingcollectionsofdevicesdespitethefactthattheyareincreasinglypresent.Asastartingpoint,werecommendthecreationof:
• Explicitsoftwarethatconsidersallthedevicesinacollectionandpresentsanoverviewofthemtoauser(devicedashboard).
• Managementtoolsthatallowtheusertounderstandandchangetheconfigurationsothatitremainssecureovertime.
• Simplificationsinthecomplexityofconfigurationmanagementthatpreventusersfromcommonerrorsthatcreatesecurityorprivacyerrors.
• Auserexperiencethatleveragesconceptsthatusersarealreadyfamiliarwithinmanagingindividualdevices.
Summary
9
Technologyisrapidlyevolvingandhavingagreaterimpactonsocietythanithaseverhadwithsensingandintelligencestartingtobeembeddedineverydevice.Theadvancesbringsignificantbenefitstopeople,companies,andorganizations,butuntilthetechnologyisbetterunderstood,therearealsoassociatedrisks.Wehaveoutlinedsomeoftheimplicationsofthesechangesthroughadiscussionofuse-casescenariosandthedimensionsofsafety,security,andprivacy.Webelievethatchangesarehappeningwithsuchspeedandthelevelofriskanduncertaintyissufficientlyhighthatinvestmentinresearchthathelpsmitigatepotentialproblemsshouldbeprioritized.Thepotentialbenefittohumanlives,ournationalinterests,andtheeconomyissufficienttowarrantsubstantialresearchinvestmentsinmakingthetechnologyasbeneficialaspossible.Forcitationuse:FuK.,KohnoT.,LoprestiD.,MynattE.,NahrstedtK.,PatelS.,RichardsonD.,&ZornB.,(2017).Safety,Security,andPrivacyThreatsPosedbyAcceleratingTrendsintheInternetofThings.http://cra.org/ccc/resources/ccc-led-whitepapers/ThismaterialisbaseduponworksupportedbytheNationalScienceFoundationunderGrantNo.1136993.Anyopinions,findings,andconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthorsanddonotnecessarilyreflecttheviewsoftheNationalScienceFoundation.