The proliferation of internet of things devices tied into critical industries such as transportation and healthcare is changing the perspective on what constitutes critical infrastructure, according to government and industry experts who spoke at the 2017 CyberCon.
“The attack surface is going to expand greatly,” said Ret. Maj. Gen John Davis, vice president and federal chief security officer at Palo Alto Networks. “When we start connecting all of these other devices, like devices that are involved in life-saving functions – transportation, cars – when we start connecting these things, we’re opening up a whole different category of impact. I think we will put people’s lives at risk, and I think there will be tremendous impact to national security, economic prosperity, public safety. So, I worry about the direction that this is going in.”
According to Jeanette Manfra, assistant secretary in the Department of Homeland Security’s Office of Cybersecurity and Communications, digital devices are changing the meaning of infrastructure that used to refer only to physical systems.
“In thinking about critical infrastructure, the word ‘infrastructure’ itself sometimes, I think, causes some confusion,” said Manfra. “And when it was originally established it was around the notion of physical threats, counterterrorism, etcetera, and how are we actually protecting the asset, the infrastructure itself from somebody who might want to sabotage that building or use that infrastructure itself to destroy another infrastructure.”
Instead internet connected devices and systems constitute essential services within parts of the critical infrastructure.
“It’s not just about the infrastructure, it’s about ‘what are the critical services and functions that American citizens, residents and increasingly, because of the multinational nature of some of our companies, globally that we depend upon?’” said Manfra.
She added that she divides the cybersecurity problems posed by IoT into three categories: IoT as vulnerable endpoints on a critical infrastructure’s network, consumers buying unsecured IoT devices that could be conscripted into a denial of service or botnet campaign, and IoT devices imbedded in cars or healthcare tools that pose a life-threatening vulnerability.
“I think that’s a very different set of issues,” Manfra said.
“More and more things are connecting to each other, and we’re becoming more and more reliant on that connectivity,” said Davis. “And so I think that what that’s going to result in is difficulty in prioritization of effort.”
James Scott, senior fellow at the Institute for Critical Infrastructure Technology, said that a cybersecurity vetting system, much like how products are rated for energy efficiency, could solve the problem of consumers buying unsecured devices.
“One of the easiest ways to manage that is an EnergyStar-type approach, so you have the device, you have a QR code, you scan your phone over the QR code. That then feeds back to a dynamic database that’s operated by machine learning and artificial intelligence that calculates a score,” said Scott.
Scott added that the critical infrastructure sectors most vulnerable to cyberattack, like healthcare and energy, tend to have “Frankenstein IoT microcosms” of unsecured devices.