If security issues around unmanageable devices look bad now, the near future is even worse.
The computing landscape 10 years out will be vastly different than it is today, thanks to growing adoption of portable, sensor-rich, Internet-connected devices -- the so-called Internet of things. Many of those devices will operate outside of traditional IT environments.
As opposed to computing environments of the past two decades, these will not be technology monocultures; Microsoft dropping support for an operating system like XP will matter a lot less. But a different kind of monoculture is emerging in its place: one of commodity hardware -- the inexpensive processors, controllers, and sensors already in use by everyone from Fortune 100 manufacturers to crowdfunded "smart device" entrepreneurs.
Speaking at a recent conference in Cambridge, Mass., Dan Geer, Chief Information Security Officer of In-Q-Tel, the Central Intelligence Agency's investment arm, warned that the proliferation of smart, embedded devices that are both long lived and unmanageable creates the conditions for massive disruption if flaws and other exploitable vulnerabilities in common components used across commercial environments and critical infrastructure lead to what he terms "common mode" failures and crippling cyber attacks.
Such systems -- smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones -- may be of negligible importance individually, but already pose a serious threat "at scale," Geer warned.
"That combination -- long lived and not reachable -- is the trend that must be dealt with, possibly even reversed," Geer told an audience at The Security of Things Forum.
What is the proper response? Security experts say there is no quick fix. Consultants such as Digital Bond's Peterson work with infrastructure operators to understand their vulnerabilities and take reasonable measures to secure their IT environments from likely attacks. But with so many legacy systems that are so lacking in basic security features, the risk of compromise is always there.
Geer has proposed a number of possible, long-term solutions, from mandating the implementation of remote management and update features in embedded systems at the "national policy" level to the use of programmed "self-destruct" mechanisms that would disable devices "by some predictable age."
IOActive's Cerrudo says cultural changes are needed within the firms that make the products. Developers and engineers need to adopt a security mind-set, while vendors that haven't traditionally had to deal with attacks on their products need to take their cue from software firms like Microsoft and Adobe: instituting a system for fielding and responding to reports of security holes in their products, then issuing fixes to customers.
The stakes are high. Cerrudo and Geer both note that the days of hacks, malware, and other problems being limited to our desktops at home and work are ending -- fast.
"All these new technologies are impacting our daily lives," Cerrudo says. "When these devices are hacked or compromised, it will impact the way we live."
Full disclosure: The author organized The Security of Things Forum where In-Q-Tel CISO Dan Geer made his remarks quoted here.
- Security-vendor snake oil: 7 promises that don't deliver
- 11 sure signs you've been hacked
- 7 sneak attacks used by today's most devious hackers
- 11 reasons encryption is (almost) dead
- Safeguard your code: 17 security tips for developers
- Security through obscurity: How to cover your tracks online
- True tales of (mostly) white-hat hacking
- 14 dirty IT tricks, security pros edition
- 6 lessons learned about the scariest security threats
- IT's 9 biggest security threats
- 9 popular IT security practices that just don't work
- 10 crazy IT security tricks that actually work
- Malware Deep Dive Report
- Data Loss Prevention Deep Dive Report
- Insider Threat Deep Dive Report
- Malware IQ test: Round 1
- Malware IQ test: Round 2
- Malware IQ test: Round 3
This story, "Beware the next circle of hell: Unpatchable systems," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.