After botnet attacks, stakes rise for security in connected things

At the Security of Things Forum in Washington, cybersecurity experts addressed the challenges of securing the Internet of Things after hackers shut down large segments of the web by taking advantage of insecure connected devices.

Think the internet-connected devices plugged in at your office or home are safe from hackers? You might want to take another look.

After a recent cyberattack shuttered much of the web by turning insecure connected devices into a massive botnet, experts and policymakers worry that the so-called Internet of Things could be more vulnerable than ever.

That issue was a focal point of conversation at last week's Security of Things Forum in Washington, hosted by Passcode and The Security Ledger, where hackers, security researchers, and government officials warned of the risks of rapidly expanding connectivity, especially within the most critical industries and infrastructures. 

"Most people are under the complete illusion that, oh, they’ve got safety systems. Safety does not factor in security," said Ralph Langner, a well-known German security researcher, referring to systems designed to prevent shutdowns at power plants and chemical facilities. "High value targets must never be connected to the internet. Nobody connects a factory to the internet in order to be more secure."

The event took place a week after unknown attackers deployed the Mirai botnet, a malicious network made up of insecure routers, digital video recorders, and other insecure internet-connected products, to overwhelm internet performance firm Dyn with phony traffic. As a result, such popular sites as Netflix, Spotify, and Amazon were knocked offline for much of the day. 

Now, with as many as 30 billion devices set to come online by 2020, security experts who spoke at Security of Things Forum worried that attack could be another sign that hackers can take advantage of insecure Internet of Things gadgets to cause serious digital havoc. 

Here are some of the suggestions they made to secure physical devices coming online:

1. Out with the old, in with the new

It's not just hooking up everything cars and defibrillators to the web that creates security challenges: Many companies and US government agencies leave themselves vulnerable to hacks by running old systems and old code – including several federal data systems that recently turned 50.

"Legacy technologies tend to dominate simply because of size," said Anup Ghosh, chief executive officer of the cybersecurity company Invincea. "In the federal space, we’re deploying to agencies with 200,000 people. You can’t just snap your fingers and cover the department."

But that message doesn't seem to be getting through at critical infrastructure facilities, where old, insecure systems can be pervasive.

"It’s sort of like getting the guys from 1950 to hold hands and talk conversationally with someone born in 1990," says Stan Lowe, an executive adviser at Booz Allen Hamilton who helps develop cybersecurity strategies.

The solution, Mr. Lowe says, is to start over from scratch. 

“There’s no way to retrofit this stuff. We’re going to bolt on security around the old stuff,” he adds.

2. Cyber war is still in its 'teenage years'

December's digital attack against Ukraine's power grid that shut out the lights for more than 230,000 people – the first such hack to cut out power – served as another wake-up call proving hackers could soon commandeer critical infrastructure. 

But Mr. Langner, the German security researcher known for his early work on the Stuxnet cyberweapon says that attack had a lot to with human error, as operators did not shut off manual controls at the impacted facilities. 

"There is a legitimate command that allows you to manipulate the [power supply] via the network,” Mr. Langner said of the tactics that hackers purportedly used to shut down power systems. "You got to be a damn fool if you don’t disable that functionality. No super hacking involved here, no buffer overflow, you just need to understand how modern products work, you just need to understand the manual.”

That could be a significant problem, Langner says, since more states are getting access to destructive cyberweapons, and there are few international rules to regulate their use. 

"What we see today is like the teenage years of cyberconflict. It’s characterized by rude behavior," he said. "Those with the muscle are like teenagers. They’re checking out what they can do."

3. Don't disconnect

The distributed denial of service, or DDoS, attack that knocked out Netflix, Spotify, and other popular US websites on Oct. 21 might seem like a sign to unplug for a while. Not for Charley Snyder. The senior adviser at the Department of Defense has used similar cyberattacks to encourage the Pentagon to invite hackers to test its systems for software flaws in a public bug bounty program. 

"Too often, I think the government tries to wall itself off from the web," Mr. Snyder said. "That just doesn’t logically work."

Instead, Snyder said the success of the Hack the Pentagon program that invited 1,400 vetted security researchers to root out bugs in Defense Department systems – including an 18-year-old who just graduated high school – shows how helpful it can be to bring an outside set of eyes to security challenges.

"We have quite a big budget, we spend quite a bit on information technology, but it’s hard to know we have the eyeballs on the systems that they really deserve," he said. "If we could tap into thousands or tens of thousands of people across the country, that seems to be a really meaningful way to use this as a force multiplier."

That doesn't mean setting up US government bug bounties will be easy.

"There’s not really anything in my experience that’s as complex as how we secure systems and make them more resilient," said Leonard Bailey, a Special Counsel for National Security in the Department of Justice's Computer Crime and Intellectual Property Section.

But, he says, inviting hackers into the Justice Department to hear out their concerns about federal prosecution of computer crimes has pushed the relationship forward.

"That resulted in going from being yelled at to presenting at Black Hat [hacker conference in Las Vegas]," he said.