Larry Karisny, writer, speaker, and consultant on IoT and other Cybersecurity issues, will be a featured panelist at the IoT Evolution Expo, coming up February 7 to 10 in Ft. Lauderdale, Florida.
We sat him down to ask him a few questions.
IoT Evolution: So you are an advisor, writer, and speaker focusing on cybersecurity and you will be a panelist in The IoT Evolution Security Track at the IoT Evolution Expo in Ft. Lauderdale taking place on February 7-10th. You have also been a Director of ProjectSafety.org for 13 years. Can you tell us a little about ProjectSafety?
Larry Karisny: ProjectSafey started with combining wireless 4.9 GHz 2.4 GHhz and 5.9 GHz in a single 802.11 j WiFi chipset used in supporting public safety in survivable wireless mesh designs. These radios would be used for communication in catastrophic events such a hurricane when critical infrastructure is down. Basically, public and private in-vehicle radios would create public safety primary access networks by just meshing multiple vehicle radios together creating incident response networks when all other communication systems are down.
Early in the design, wireless and application security immediately was seen as a major problem. This gave ProjectSafety.org the advanced insight security problems in not only wireless technologies today such as IoT but complete operational and industrial IT systems such as the smart grid. In fact, one of the first uses of IoT on a grand scale was the Smart Meter which immediately showed security vulnerabilities. ProjectSafety saw all this coming years ago, and frankly, is shocked about what is going on with IoT which is out in the physical world not just a database of intellectual property that can be stolen. Exploiting an IoT in an operational or industrial IT system can blow something up. Serious stuff and remarkable irresponsibility is shown in not securing these devices.
IoTE: So what is the problem with IoT security and why aren't people adding proper security to these devices?
LK: Let’s first take a quick look at how conventional information system security products work. You start by categorizing security priorities that are important to you, for instance, where your highest level intellectual property is stored or where top secret information is stored an example of the public sector. You then get executive management to agree that money needs to spend in securing these priorities and do risk analysis on the cost of the using the conventional information system security products.
I am using the word conventional meaning the way we secure things today which are flawed, to begin with. In general, conventional security Next Generation Firewall
Wall (NGFW) Intrusion Detection System (IPS) security technologies encrypt or harden the authenticated and access to sensitive information and Security Event and Information Management (SIEM) security technologies to try to keep unwanted attacks from coming into our processes and systems. These conventional information system security approaches are not perfect and are more of a deterrent to cyber attacks than assured stop measures. IoT and the billions of devices that will affect our business and industrial systems will prove these conventional information system security approaches will lack the scale and capability of even deploying today’s cybersecurity products and services into the tiny IoT devices.
Case in point: One of the design criteria in IoT is to establish the longest possible battery life. This requires very small processor and flash memory many times not offering the space for IoT device updates or enough flash memory to install high-end encryption. This is a big problem and eliminates the use today’s IPS technologies and the ability to update devices that may have been exploited. The sheer volume of these devices is making current SIEM security technologies obsolete and unmanageable. There is just too much out there to watch and trying to put in some monitoring database that already often misses attacks, defects, administrative and end user errors using current cybersecurity technologies is not a solution. Basically, current cybersecurity approaches cannot scale to the amount of IoT that some people are predicting to reach one trillion which in turn is demonstrating why we need to address cybersecurity with new approaches.
IoTE: What are the new approaches you would suggest in offering solid cybersecurity methodologies?
LK: Something my colleagues and I realized when trying to secure operational and industrial IT systems: conventional security technology cannot currently follow operational and time sequential business logic. Business logic is applied in the communications among the component part of a system a service or device. There is something that fundamentally needs to change in the where and when we are viewing and mentoring of business process logic.
Current security systems are focused on securing the systems and things we don’t want in the systems when they should be validating that the correct business logic is taking place. We need to focus on what yeses of cybersecurity than the no’s that can no longer scale with the increasingly massive flows of these time sensitive data flows. We need to validate the message unit. The message unit is the communication path for instruction and information shared among interrelated end points. These tiny messages are the sequential actuaries that make something happen in operational and industrial processes. The business logic processes are the flow of putting these message units at the right place at the right time. Combining these capabilities can be used to remediate malware compromises, defects or administrative errors for real-time business and security management. This is a departure from the current historical approach to business and security management, where millions of permutation causes are first modeled and monitored inside databases for compromise.
I have focused on the cybersecurity in the smart grid for years and found something very interesting when addressing security in Industrial Control Systems and the Smart Grid. There were electro-mechanical technologies over 50 years old that were trying to interface with new digital technologies. I searched with my colleagues in trying to find a communication path for instruction and information shared among interrelated end points in the power grid systems. Amazingly there was a communication technique found that crossed years of technology that could be used to monitor these system process. The tiny message action when combined with typical sequential and operational business logic can offer the accuracy, low overhead, and economy that can even secure all operational and industrial process including IoT.
IoTE: If you had total control of cybersecurity in IoT, what would you do?
LK: The last place I spoke as an honored guest was the 11th Annual Cyber and Information Security Research (CISR) Conference at the Oak Ridge National Laboratory in Tennessee. This was the home of the Manahan Project for years that housed the secrets of the atomic bomb. It was interesting to speak there because many people including myself consider cyber attacks targeting critical infrastructure to be potentially as dangerous as the atomic bomb. There were even discussions that the intellectual property of cyber security should be handled like the secrets of the Manhattan Project were handled many years ago. This is not what happens in cybersecurity today.
I am studying for my Certified Information Systems Security Professional exam and frankly was shocked by what I saw. This certification is the gold standard of all cyber security certifications and is all-encompassing in debt look at how cybersecurity runs today. My first surprise was that the areas discussed were often the use of technologies that in many cases were over twenty years old. Then there were the discussions that can give a hacker a road map to the vulnerabilities and the technologies used in addressing cyber attacks. Last I was shocked to find how a cyber attack is discovered and how manual the process was in searching through an amazing amount of data historically stored in system logs. So, a hacker can change something today and we are combating that with 20 years old technologies and manual processes. Not good.
So, if I was running cybersecurity I would just do it. Even Rudy Giuliani the adviser on cybersecurity to the White House stated that “our current cyber defense is not what it should be”. We need to find a way to start fast tracking the use of new cybersecurity technologies rather than dragging them through analysis paralysis groups and organizations. These bureaucracies can often delay or block the release of superior cybersecurity technologies or even worse disclose so much information that a cyber attacker can target cybersecurity vulnerabilities. If there is something out there that makes sense just fund it, test it and get it out there. That’s what hackers do and until we start fast tracking cyber defense technologies the same way we will always be playing catch-up. I will be discussing this more detail in a panel discussion at the IoT Evolution Security Track in Ft. Lauderdale Florida on February 10th. Hope to see many of my colleagues there. With billions of IoT being deployed and an administration in the White House ready to find solutions that are already in the private sector there is no better time for this discussion.
Edited by
Ken Briodagh
