Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Internet of Things Promises to Transform Life, But at What Cost?

Constant vigilance is key to protecting mounds of data created via billions of connections.
By Sandra Jontz

The Internet of Things, the latest iteration of the overarching dream of an omnipresent network architecture, offers an uncertain future in both opportunities and challenges. That uncertainty is growing as the network concept itself expands in scope and reach.

The perpetual quest for convenience and expedience brought about technology that has connected billions of devices that produce and share vast amounts of information, from an infant’s sleeping habits to space mission data. What happens to the data, how it is managed, by whom and with whom, and how it might be safeguarded pose privacy and safety concerns for security experts and government officials.

“We have an endless appetite for more information, and that’s a little bit scary,” says Michael K. Daly, chief technology officer for cybersecurity and special missions of Raytheon Intelligence, Information and Services. “I don’t think that we’ve reached our tolerance level for data volumes. There’s an appetite for more and more information going into deeper domains of expertise.”

Medical systems already try to measure every aspect of what happens inside human bodies, for example, and infant monitors relay in real time information to smartphones about a baby’s breathing and skin temperature. Wireless chips in prescription bottles remind users to take their medications; smart thermostats use sensors and real-time weather forecasts to heat or cool a building; and sensors in city street trash receptacles alert authorities when they are full and need to be emptied.

The connected systems and devices, from small to mammoth, make up the Internet of Things (IoT) through links from people to people, people to things and things to things. “Of all of our critical infrastructure systems, and even within our traditional computing environments, we’re adding more and more sensors to these devices to figure out what’s happening inside of them in order to make them more efficient,” Daly says.

What used to be a military-centric capability has moved well past the armed forces to infiltrate the private sector—both businesses and personal lives. “While the efficiencies and insights gained through the deployment of this massive interconnected system will bring new benefits, it could also bring new risk,” Daly says. “Experience shows us that when everything is connected, everything is vulnerable.”

Researchers predict between 26 billion and 100 billion devices will be connected to the Internet of Things by 2020. From personal fitness wristband trackers to massive critical infrastructure systems that control power grids, bridges and railways, the phenomenon touches everyone. And it remains vulnerable to hackers, hacktivists, cyberthieves, spies and advanced persistent threats, also known as nation-state attackers.

For decades, the U.S. military connected mobile command posts and unmanned systems, and today’s commercial enterprise can garner precious insight from the history. “The expertise gained by companies creating these systems of systems for the military has provided a unique perspective on information security risks,” Daly says.

“The Internet of Things is a big generator of data—all of these various sensors—and it’s tightly coupled to cloud computing,” he continues. “A lot of these new systems and devices and sensors are being tied back to applications as a service, or what people are calling the cloud. And that means that there is data about systems that the Department of Defense operates that is being pushed out into places that maybe various CIOs [chief information officers] are not fully cognizant.”

CIOs need to be fully aware of what is being produced, how it is being produced, where it is being shared, what is being shared and who is doing the sharing. “With the large amount of data generated by the IoT, a key question will be: ‘How do I know the data generated by this system is reliable?’” Daly asks. 

The Defense Information Systems Agency (DISA) will take a holistic approach to safeguard the military’s networks as more systems and devices are connected. Part of its solution begins with the joint regional security stacks (JRSS), a key upgrade to streamline all of the Defense Department’s network operations and improve security, says David Mihelcic, DISA’s chief technology officer. “JRSS will provide protections for things in this large class, the Internet of Things,” Mihelcic explains. “It allows us to provide security policies based on communities of interest in an agile fashion.”

Round-the-clock system monitoring will scrutinize for network anomalies, either from normal everyday operational problems or hostile cyber attacks, he adds.

“So really, it’s the linkage of the JRSS, the cyber situational awareness analytic cloud, the protections that we maintain at the boundary between the DODIN [Department of Defense Information Network] and the commercial Internet, as well as host-based protections,” Mihelcic says of DISA’s approach. “Today on our PCs and servers, we have something called HBSS, host-based security system, to allow for not only the granular security configuration of those operating systems ... but also to feed data, the results of what HBSS is seeing at the device, into that cyber situational awareness analytic cloud.

“Moving forward, we will have something analogous for Internet of Things devices, individual devices—appliances, if you will—that will feed information into [networks] to give us more of a broad, high-definition picture of exactly what’s going on in the network,” he concludes.

The IoT phenomenon calls for further investment and study. The National Science Foundation (NSF), for example, has pledged $4 million over five years to universities to study synchronizing time in cyber-physical systems that integrate sensing, computation, control and networking into physical objects and infrastructure, such as autonomous cars, aircraft autopilot systems and connected energy-efficient buildings. The goal is to improve the accuracy, efficiency, robustness and security with which computers maintain knowledge of time and synchronize it with other networked devices in the emerging Internet of Things, according to the foundation.

“The National Science Foundation has long supported research to integrate cyber and physical systems and has supported the experimentation and prototyping of these systems in a number of different sectors—from transportation and energy to medical systems,” says Farnam Jahanian, the former assistant director of the NSF’s directorate for computer and information science and engineering. “As the Internet of Things becomes more pervasive in our lives, precise timing will be critical for these systems to be more responsive, reliable and efficient.”

Information assurance, data separation with appropriate firewalls and risk containment help toward securing the data, as well as hardening systems, not just patching them, Daly recommends. “On the most basic level, segregate those networks that support these types of systems,” he says. “It’s easier to sort of plug them into a general network, but it’s not smart for us to say, ‘Well, all of these things need to use the Internet, so let’s just plug them all into a big flat network and let them go.’”

Insider threats, whether malicious or benign, can be quashed if supervisors pay proper attention. Increasingly, hackers are turning to social media to target their next subjects. Workers with privileged access to networks pose “the most widely exploited weaknesses in relation to most of the attacks you hear today,” says Ken Ammon, chief strategy officer of Xceedium Incorporated, a network security company. Hackers have taken to social media venues to look for employees who tag themselves as being in supervisory positions or as systems administrators. “They’re crafting very specific campaigns to grab control of that person’s credentials because they know ahead of time there is a very, very good chance the person has elevated rights and will give them the keys to the castle,” Ammon says.

In a study conducted by Ponemon Institute LLC and commissioned by Raytheon Company, 73 percent of privileged users responded that they felt empowered by access to all the information they could view, while 65 percent access sensitive or confidential data out of curiosity, and 54 percent said their assigned access rights go beyond their responsibilities to perform their jobs.

Chief security officers can minimize who has access to what and implement a two-party control system so more risky data access or sharing involves more than one employee, Daly recommends. “No more copying large amounts of data,” he offers. “There are some tools we could be developing to help ourselves there. And then there are insider threats monitoring tools … [that] watched for inappropriate behaviors.

“In this new environment, it’s critical for companies to have insider-focused security and continuous monitoring solutions that can detect anomalies and unauthorized privileged user activity and determine when information has been accessed inappropriately,” he continues. “These must be behavioral analytics, not just simple rules and policies. Companies will succeed in the IoT environment when they understand both the new opportunities gained from new devices in their business ecosystem and the new risks they take on and preplan how best to manage them.”

Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA