Think about your first car. If you’re like many of us, it was probably used, either purchased or handed down from parents or maybe even siblings. My first car was 14 years old. Now, think about how poorly secured most 14-year-old electronic devices are. The success of WannaCry capitalized on precisely that lack of security for hospital machines and operating systems.
When it comes to embedding tech into everyday machines and critical infrastructure, security is no longer just about privacy of data, it’s a safety issue. To build a connected medical device without contemplating how to prevent someone from hacking it is like building a bridge without a civil engineer and load testing. With this being said, it is also important to understand the difference between manual and automation testing for various parts of your business, as they can both offer benefits and disadvantages. Seeing as your business should be one of your top priorities, it would be worth considering this.
That’s been missing from a lot of the conversations about IoT security, but an excellent paper from the University of Cambridge looks at security for connected cars, medical devices and the energy grid as a safety issue.
The report covers the role of regulators in our technocentric world, how liability might be shared among manufacturers, consumers, insurers and regulators, and ways to implement security over a 30-year life span. Alone, each of these topics is worth several papers, which is why I found the report such helpful reading. It covers all of these to enough depth to help interested parties dig into the issue, rather than say, “It’s hard,” and move on.
The paper offers up liability as the impetus for secure infrastructure and discusses where European laws (this report was commissioned by the European Commission) fall short. For example, product liability can invalidate the ubiquitous end user licensing agreements that people click on with every software download, but it cannot protect against unforeseen harms.
And when dealing with the interest, electronics and a network, we will encounter the unforeseen. Additionally, laws that protect against insecure and unsafe products do not cover services. For many companies, connected devices are about selling a service, not selling a physical device.
There are an additional half dozen interesting points for discussion in the paper, plus a historical perspective on how regulation developed around the railroads and cars. It provides grim parallels on how things might unfold for connected device security in the 21st century.
If all of this sounds crazy and over-the-top, go reread the essay I wrote about hospital security. The CISOs I spoke with for that story were most worried about their connected devices doing physical harm to a patient, not about records getting stolen. We’re already living in a world made less safe by connected products. Now we have to admit this and solve the issues technology has wrought.
Just like we have done before.