When the Department of Homeland Security issued a warning in March that hackers could intercept data from a drug-infusion pump, and even commandeer its operation, it was a potent and long-feared demonstration of the vulnerabilities of the Internet of Things.
But a panel of experts at LiveWorx said solving security concerns like these requires not just new technological safeguards, but a change in culture.
For one thing, incorporating security into the operation of IoT devices is as vital as including it when they’re being designed and manufactured, the panel agreed; the access codes in the pump, made by Hospira, for example, purportedly were not encrypted, and were not erased before the device was sold to a hacker on eBay.
“You can make the software as secure as possible, and if you don’t scrub it, all of that product’s security is going to go out the window, because your operational security is not there,” said Rob Black, senior director of product management at Thingworx.
For another, startups eager to exploit the fast-growing idea of making smart, connected products need to slow down long enough to pay attention to security.
“To them, security’s not part of it,” said Alan Tait, CEO of Stream Technologies. “As an industry, we have to grow up. Security’s been treated for so long as someone else’s problem.”
But manufacturers can’t be so obsessed with security that it obscures the purpose or effectiveness of the devices they produce.
“We have to walk a very fine line to not make a product unusable,” said Greg Dameron, director of software engineering at Medtronic.
This balance doesn’t mean security is not increasingly essential, the panelists told a crowded conference room. On the contrary, “This is a topic people are chomping at the bit to talk about,” said the moderator, Paul Roberts, editor in chief of The Security Ledger, which covers Internet of Things security.
A study by HP Security Research found that 70 percent of the most commonly used IoT devices have security flaws, with an average of 25 vulnerabilities per device, including a lack of encryption and inadequate software protection. The Food and Drug Administration urged in October that medical device-makers strengthen their security. And in a report in January, the Federal Trade Commission urged manufacturers to pay more attention to security in the design process.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez said at the time.
Many products in which faults were found were manufactured years ago, said Dameron, who estimated that attention to security in the fast expanding variety of IoT devices has increased greatly since then.
Companies like his, he said, have established global security and privacy offices and hired third-party experts to assess security. Medtronics has even invited its competitors to collaborate on security issues.
That doesn’t mean the problem has been solved, said Dameron and his fellow panelists.
“You can never design for everything,” he said. “It’s difficult to assess today what will be a challenge for the future. There are technologies that we’re assuming today are good, but who knows? You have to assume the worst.”
That means, among other things, figuring out which data needs to be protected, and which may not.
“There are some data that are more important than other data,” said Andreas Laumann, chief software architect at the German company Secure Solutions.
A good model is the doctors’ oath to do no harm, Tait said. “And that comes down to any device. Can this data actually do damage? In that case, do I have to put security on?”
But that security should not be so complicated that it thwarts the device itself.
“You see the failure of email encryption. Nobody uses it,”Laumann said. “Everyone wants security, but they want it to be easy. We have to work on that. We have to open the minds of our customers.”
One way to do that is to use open-source security software, which the panelists agreed “is going to be the most secure from an encryption protocol, because that code will be reviewed by so many people that it will be much better than if you bought an encryption package from a vendor,” as Black put it. “That will be some of the most hardened code around. Custom solutions may have hidden holes you don’t know about.”
Hospira said it has released a new version of the software used to operate its drug pump, which fixes the vulnerabilities. The problems were discovered by an independent security consultant, who reported them. No patients were harmed.
It was an important lesson, Tait said.
“As we connect more and more things to any form of Internet, not just the Internet of Things, unless there’s a security model there, people will go after it,” he said. “Even if we make it difficult, people will still go after it.”
View LiveWorx keynotes and breakout sessions.
Image: Hospira presskit