Open Source Technologies are Key to IoT Growth

FOSS is the future

OpensourceFree and open source software (FOSS) has become a force to reckon with in many markets, especially so in connected embedded devices. For example, VDC Research predicts embedded Linux will run roughly 65% of embedded products shipped by 2017 (it’s over 50%now.) Besides the obvious advantages of reusing code it encourages open standards and frameworks. Here’s a good post on this topic:

Round-up: Open source technologies are key to the growth of Internet of Things

 

The energy sector is a key target for cyber attacks

Introduction

The energy sector is one of the key infrastructure sectors and certainly a highlight of the IoT vision, for example, the SmartGrid. As such it’s a key target for attack since significant disruption of service has large economic effects (possibly strategic as well.) Unfortunately, it’s a very vulnerable sector since many of the existing systems are exploitable and it doesn’t seem that company executives are taking the problems seriously. 

Complacency a key issue

Executive complacency is probably the key issue in IoT and specifically energy sector manufactures. With a startling 88% of companies lacking confidence that their shipping devices are configured appropriated for secure operation. 

Critical infrastructure executives complacent about IoT security, study shows

Attack vectors

The energy sector is particularly vulnerable via many of the same vectors that other industrial control systems are with possible higher impact given the targets. These include: 

  • Unauthorized access and exploitation of Internet facing interfaces
  • Exploitation of vulnerabilities in control system devices and software
  • Malware infections control system networks
  • SQL injection via exploitation of web application vulnerabilities
  • Network scanning and probing
  • Targeted spear-phishing campaigns (specialized phishing campaigns targeted at employees and known targets.)
  • Strategic web site compromises

What needs to be done

Frankly, with complacency being a key issue, security needs to be taken more seriously. In fact, in a previous post, I point to a well written paper from AT&T that discusses this. A security-first approach is needed for every project, regardless of size. Here’s another set of articles I’ve written that covers a four step process for security assurance in IoT devices and by extension connected devices in the Energy sector:

A Four-Step Guide to Security Assurance for IoT Devices

 

AT&T: Security is first and foremost a people issue.

Although this white paper is not IoT-focused it’s comprehensive and well thought out. In particular is the emphasis on making security a top priority from top down in an organization. I like this quote “Here’s part of the problem: Too often security remains one step removed from the officers and directors of the company. Security is seen as a technology issue. But security is first and foremost a people issue.” In fact, security is often foisted to software development teams as in “fix the security, or else.” The recommendations here are excellent and apply to all industries: Make sure security is the CEO’s responsibility, adopt a risk driven approach, appoint someone to champion security (and give them authority), and get outside help. 

What every CEO needs to know about cybersecurity