Robert Metzger is a shareholder at law firm Rogers Joseph O'Donnell PC, where he's a member of the Government Contracts Practice Group and head of the Washington, D.C. office.
The Internet of Things (IoT) presents enormous opportunities accompanied, unfortunately, by potential for both new security vulnerabilities and aggravated consequences.
The IoT operates by connection of end-point devices (such as sensor networks) to control systems and by communication along the edge as well as to the core. Devices both collect information and act upon instruction. Control systems may be central or distributed. Attack surfaces, as seen by adversaries, will multiply, to include end point devices, network interconnections and transport infrastructure, and the control systems that incorporate core functions, such as data analytics, which act upon received information to generate instruction communicated to devices. Authentication, identity management and transaction processing add to exposed surfaces. IoT implies massive interconnectivity and constant interdependence among devices, communications and control.
For critical infrastructure, for illustration, the IoT could enable electrical generators to self-monitor, predict fault, adjust function, and call for maintenance. (Such functionality is present today for certain civil aircraft engines.) And, the IoT can produce "liquidity" in asset utilization; through autonomous communications among machines, generators can distribute or balance load without operator intervention. Some sensitive systems in the defense sector will be isolated from the IoT, but many will not. IoT devices might be used for defense logistics purposes, e.g., widespread distribution of wireless smart tags to monitor readiness, track availability and inform disposition decisions for physical assets such as pre-positioned military stores. The defense industrial base is likely to employ IoT devices for such purposes as efficient resource allocation and enhanced functionality.
The IoT likely will proliferate devices and systems at risk of discrete attacks – an "attack once, impact many" paradigm. This exposure results where devices and dependent systems possess common vulnerabilities and suffer circulation of common injury, and where corruption spread among linked applications affects numerous connected systems. Applied to the infrastructure example, one IoT attack could degrade or disable many power generators across an entire grid. An IoT attack, conceivably, could "poison" the military logistics decision system, leaving commanders without knowledge of equipment availability and readiness.
The IoT, I suggested, presents "cyber/physical" risks because cyber attacks will impact physical devices. For systems it acquires and supports, the federal government can use its acquisition authority to encourage and eventually mandate actions to reduce vulnerability to IoT cyber/physical attacks, to mitigate the consequences and to promote resilience and expedite recovery afterwards.
This authority is exercised through procurement regulations, solicitation requirements, and by specific contract terms. Caution is necessary because federal agencies rely upon and need access to the diversity and innovation of commercial sources, and because the goal is not to frustrate U.S. exploitation of the IoT but to protect federal systems and critical infrastructure against its new vulnerabilities.
Targeted supply chain risk management and cyber initiatives can improve understanding of new risks and reduce exposure to IoT cyber/physical threats. I offer five recommendations:
- Create market and tax incentives to encourage defense industrial base and other private sector critical infrastructure participants to self-assess for cyber/physical and IOT vulnerabilities and act to eliminate them;
- Promote continuing development of scalable IoT and cyber/physical norms, standards and best practices, while taking care to avoid both prescriptive solutions or the potential chaos of competing and conflicting norms;
- Develop and validate methods of authentication and authorization, as may rely (for example) upon embedded, tamper-proof and cryptographically secure chips, in order to enhance transaction security among IoT applications, devices and core systems;
- Cause federal agencies responsible for critical systems and infrastructure to assess vulnerability of present and planned systems to cyber/physical threats, and to implement protection plans;
- Begin to develop regulations to require defense primes and critical infrastructure contractors to adopt systems to anticipate and avoid cyber/physical vulnerabilities and to monitor and report on cyber/physical attacks.
It is now considered essentially impossible to eliminate entirely the risk of a cyber attack. Apart from defensive measures, the inevitability of cyber/physical attacks through the IoT emphasizes also the importance of reaction, recovery, reporting, and information exchange after attack. For key defense systems and critical infrastructure, it may prove necessary to inventory at-risk electronic components and connected cyber-active systems, to expand reporting obligations to include malicious code events and hostile exploits of cyber-active parts, and to collect and rapidly exchange event and exploit information. Data analytics and automated decision methods can be employed to predict risks, disseminate device-specific reports, advise or implement defensive measures, and to effect wide-scale recovery actions. These measures can be accomplished – but we need a national strategy to protect security and privacy, while we promote the IoT and leverage its value, clear leadership among interested federal agencies and (hopefully) consensus between the Executive branch and Congress.