How to Fix the Many IoT Security Gaps That Nobody Is Thinking About
Sometimes it's water or sewage; sometimes it's natural gas or petroleum. It doesn't take much to understand the importance of a gas or petroleum pipeline, nor the catastrophe that could happen if the sensors are hacked right before someone attacks that pipeline. As the September 2010 explosion of a high-pressure gas pipeline in San Bruno, Calif., demonstrated, such a catastrophe is indeed possible. While there's no indication that tampering with sensors was an issue in that disaster, it demonstrates that there's reason enough to protect such sensors and the data they provide. While it's likely to be nearly impossible to simply add security to existing sensors and controllers that make up this part of the IoT, perhaps it's possible to begin with a more measured approach. Clearly some of those things are reporting on critical infrastructure and should be upgraded as quickly as possible. That is already a tough job, but probably not impossible since these devices need routine servicing anyway. Perhaps when they're visited for service, the communications modules can be upgraded. Other devices that normally aren't considered part of the critical infrastructure may also need a look, such as controllers for traffic lights and embedded sensors in highways. One way to shut down a large city, after all, is to simply turn the traffic lights red—an approach that's already been used in a couple of thrillers. While there are workarounds for that, including the time-honored approach of treating a broken traffic light as a stop sign, we all know how well that works in real life.I can't list all of the possible ways that the IoT could be turned against society. There isn't space and besides most of it doesn't apply to most of you who are reading this. But what does matter is the need for awareness of this issue. Ask yourself what part of the IoT impacts your job. Then ask yourself how you can approach the security of the things that have an impact. Can you talk to your IT manager? Your factory floor supervisor? Your safety officer? Perhaps just asking the question is enough to start the process. And if your job isn't impacted by any part of the IoT, then perhaps your life outside of work is. Maybe it's time to start calling your state legislator or your local mayor about security of the traffic sensors. It doesn't matter what part of the IoT you help secure. Eventually, every part will need some attention. What matters is that it starts somewhere.
But again, while it's probably impossible for cash-strapped local governments to replace their traffic light controllers all at once, perhaps it's not so hard to upgrade them over time as they need routine service.