- While the connected devices industry is seeing intense growth with evolving technologies, it is also important to be aware of the current cybersecurity issues, according to a recent hearing held by the House Energy and Commerce Subcommittee.
The Subcommittee on Commerce, Manufacturing, and Trade met on November 16, 2016 to discuss recent cybersecurity attacks, and how the scope of the threats and vulnerabilities presented by connected devices need to be examined.
“We have learned about a number of best practices, and standards-setting projects are on-going with various groups,” CMT Subcommittee Chairman Michael C. Burgess, M.D. said in his opening statement. “We are facing exciting growth in the connected device industry, but we also need to see meaningful leadership from industry about how to address these challenges.”
Burgess added that the government is “never going to have the man power or resources to address all of these challenges as they come up” Therefore, industry must take charge to ensure that the right balance is found between functionality and security.
Subcommittee on Communications and Technology Chairman Greg P. Walden stated that a concerted effort is needed “to improve not only device security, but also coordinate network security and improve the relationship between industry and security researchers.”
“We’re all in this together and industry, government, researchers, and consumers will need to take responsibility for securing the Internet of Things,” Walden noted.
The meeting discussed the following issues:
- What are the key risks associated with DDoS attacks? How is industry addressing these risks when developing new products?
- What role does the proliferation of connected devices play in the execution of a DDoS attack? How should device manufacturers assume responsibility for cybersecurity risks?
- What supply chain issues and challenges exist for hardware and software developers in the Internet of Things ecosystem? What industry consensus mechanisms exist on how to address these challenges?
Level 3 Communications Chief Security Officer Dale Drew was one of several witnesses who spoke at the hearing. According to Drew, the proliferation of IoT devices presents a great opportunity but that the “lack of adequate security measures in these devices also poses significant risks to users and the broader internet community.”
“Vulnerabilities in IoT devices stem from several sources,” Drew explained. “Some devices utilize default and easily-identifiable passwords that hackers can exploit. Others utilize hard-coded credentials that users are not able to change. Many devices also lack the capability of updating their firmware, forcing consumers to monitor for and install updates themselves.”
Furthermore, a phone or computer may have endpoint protection capabilities. IoT devices on the other hand could become compromised and the issues may go unnoticed for long periods of time.
“The current lack of any security standards for IoT devices is certainly part of the problem that ought to be addressed,” Drew pointed out. “In particular, IoT manufacturers and vendors should embrace and abide by additional security practices to prevent harm to users and the internet.”
Virta Labs CEO Dr. Kevin Fu agreed, and said that while cybersecurity attacks are not necessarily new, the sophistication, scale of disruption, and impact on infrastructure is unprecedented. IoT devices need to have cybersecurity built in, and not just added on after the fact.
Fu specifically recommended that built-in, basic cybersecurity hygiene for IoT devices be incentivized by establishing meaningful security milestones and encouraging use of strong cryptography.
Agencies such as as NIST and NSF should be supported, added Fu, who is also an associate professor in the Department of Electrical Engineering and Computer Science at the University of Michigan. Supporting those agencies will “advance our understanding of how to protect IoT devices and to establish a cybersecurity workforce that meets industry needs,” he said.
It will also be necessary to “leverage the existing cybersecurity expertise within NIST’s National Cybersecurity Center of Excellence (CCoE) and Information Security and Privacy Advisory Board (ISPAB).”
In terms of healthcare cybersecurity issues, Fu explained that ensuring the continuity of clinical operations to deliver safe and timely patient care is one of the top concerns for that industry right now.
“The best known approach is to maintain a more accurate, risk-based inventory of devices, software, and cyberexposure such that when a new vulnerability is discovered, hospitals can more quickly identify affected devices to triage and remediate,” he said. “However, hospitals simply do not have accurate inventories of software in actual use.”
Medical device security is also a key concern, Fu added, and “default passwords and the inability to tolerate intrinsically hostile networks are two common problems in medical IoT devices.”
NIST’s work on lightweight cryptography plays a critical role in this area, he maintained.
“Another unusual problem with medical devices is that traditional cryptography does not work as easily on battery-powered, implantable devices because of the risks of cryptographic computations draining the battery,” said Fu. “When an implant’s battery runs low, it requires surgical replacement.”
Assessing medical IoT security and creating a national embedded cybersecurity testing facility will be greatly beneficial, Fu concluded.
“The cost to establish a realistic test facility for healthcare IoT cybersecurity, for instance, is likely to exceed $1.1 billion because of the sheer complexity and specialized equipment,” he explained. “But that is much cheaper and more effective than having 6,000 hospitals across 50 states each attempting to establish tiny facilities.”