There has long been a sliding rule that says the more secure
a solution is, the less usable it becomes. With a boom in the Internet of
Things, or “IoT", many hackers playing with rapid prototyping kits, hacker
spaces in every major city, and 3D printing becoming a mainstay in most public
areas, we need to pause and understand where the slide rule currently sits. As
more and more elements of our daily lives are driven online, and the cost of
convenience is driven down, we expose ourselves to risks not previously
considered. Never before has it been possible to unlock your front door, preheat
an oven or surveil a home all from a remote location. Never before has your TV
put your privacy at risk.
While the consumer elements can provide additional creature
comforts, they are also drivers towards what we want at work. Why not push for
tools in the workplace which make life easier?
The reason is the sliding rule. When we choose to open
elements of our home to the convenience of a cloud-based solution, the risk is
primarily compartmentalized into the things within our control, and limited to
our own personal sphere of potential loss. It is a fixed risk which affects mainly
the individual consumer. When a decision is made to integrate similar
technologies within a company, the result is a greater exposure of risk—at the
corporate scale, and in many cases, the risk extends to potentially millions of
customers as well.
A troubling trend is the focused desire to
implement SCADA and Building Management System (BMS) solutions into bridged IP
networks. Typically these controllers have been closed looped or air gapped
designs, secured through isolation. They run older software which has limited
upgrades behind it, and are not designed to stand up to the rigors of an
untrusted environment. By marrying the ability to turn on a porch light for a
house with the perceived need to control a critical infrastructure from the
comfort of an IPad on the back deck, our core utilities are more at risk than
ever.
As building engineers see the convenience of solutions
offered through hardware stores, and push for these same integrations on a
larger scale, the security community must be mindful of where the slide sits and
assess the risks proportionally. It won’t be long before even the most mundane
tasks are ported to the smart phone, but at what price to protection? There is
an absolute benefit to access, immediate control, and newly discovered data
points for analysis. These benefits need to be weighed against the risks of
outages, loss of control, or even deliberate acts of malicious nature.