The Internet of Things: Alert Logic’s Martin Lee on Anticipating the Unknown Unknowns

In 2002 then US Defence Secretary Donald Rumsfeld’s invocation of Nicholas Nassim Taleb‘s ideas on the limitations of making decisions based on unavoidably partial knowledge was widely mocked.

But if the failure to find weapons of mass destruction in Iraq vindicated his critics then the clumsy tautology – “there are known knowns (things we know we know), known unknowns (we know there are some things we do not know), but there are also unknown unknowns (the ones we don’t know we don’t know)” – nevertheless has a valid application in assessing the risk landscape.

And no more so than the nascent ‘internet of things’, according to Martin Lee, manager of Intelligence at Alert Logic.

Speaking to IFSEC Global when still technical lead for Threat Intelligence at Cisco, Lee says we still don’t know how and from where threats will arise in this brave new world – but that doesn’t mean we can’t forearm ourselves. 

IFSEC Global: So Martin, the internet of things seems like the next – or rather current – big thing…

Martin Lee: The internet of things is an inevitability. Computing devices are getting smaller and cheaper.

We’re living in a world of growing bandwidth, Wi-Fi, 3G and now 4G networks.

You’re really we’re looking at two kinds of devices: small sensors which sense something about the environment and phone that information back to a central processing unit, which then relays instructions to similar devices that are connected to actuators and make some kind of change to that environment.

So in an unexpected heatwave the sensors will turn up the air conditioning and inform the electricity grid that we’ll need more energy today.

So it’s a wonderful, utopian idea, but as a security professional my first question is: “how will people break this?”

What types of unforeseen vulnerabilities are we building into this network of things that we’ve not planned for? That bad guys can at some point exploit?

IG: From which sources do you see these attacks coming?

ML: We tend to get hung up on the concept of cyber war and enemy states attacking us, which is a possibility. I think what’s far more likely, though, is people affecting systems for pranks.

Then you’ll have criminal gangs or old-fashioned protection rackets: “give us money or we’ll hack into your air conditioning during the hottest day of the year and your computers will melt”.

We already see these attacks happening and there’s potentially a whole new range of attacks on the horizon, which we should plan for now.

IG: What safeguards can the authorities and security companies institute now?

ML: One article recently found an average of 25 vulnerabilities per smart device.

We need to design devices’ deployment architecture to prevent tampering, block commands from unauthorised controllers and  ensure our controllers can’t receive fake information – for example information from sensors that don’t exist.

We’ve already seen security cameras infected with malware. Probably the bad guy in this case didn’t know that he’d infected security cameras, but it shows these cameras can be subverted for malicious purposes.

I think that’s really where the danger lies. There’s a lot of interest in deploying these devices but we need to make them secure, make the networks connecting them secure, ensuring that only authorised individuals can log into them. The bad guys will see a lot of scope for disruption.

IG: I guess you can never make a system 100% invulnerable…

ML: Absolutely. We’ve learnt a lot over the years about how to live in that kind of environment, how to harden things as much as we can to minimise vulnerabilities and make sure we’re designing the network infrastructure to make it as hard as possible to for attackers to get in there.

Also to have monitoring systems to identify attacks straightaway and take steps to remediate them.

In many cases the bad guys will go after the least well secured systems, so often what you need to do is be a little bit better secured than your competition.

So you need to monitor the network, have that visibility of what’s connected to your networks an spot the attacks early – because they will happen – and take the right steps remediate and swiftly recover.

IG: You talk about competition as if it’s like a capitalist marketplace – can you elaborate?

ML: If you want to take out major transport infrastructure in a major city you’ll narrow down your targets to maybe half a dozen world cities. The one you actually go for will be the one that is easiest to get into – the low-hanging fruit.

IG: The whole internet of things paradigm is about interconnectedness, which is many obvious benefits. Might it also make cities more vulnerable insofar as a successful attack on one part of the infrastructure could thereafter infect the entire infrastructure via these connections?

ML: It does changes the risk profile and the relative risks within the environment. My suspicion is that in many cases these changes aren’t well considered at the design phase.

A connected city makes improves the efficiency of city management, particularly energy efficiency. But yes, you’re introducing other vulnerabilities so we could have the network effect where if someone penetrates part of the system then they can have large ramifications throughout an entire city.

However, if you consider that as a possibility that from the beginning and you start building in those mitigations early, and you’re watching for those kind of incursions, then when it happens you can stop it.

But if you’re not watching and you haven’t built in those protections, you’re then risking exposing yourself to an attacker.

IG: With growing automation is there a risk of taking too much human agency out of city management?

ML: That’s a very good point actually. There should always be some kind of human oversight.

We’re not quite there yet with artificial intelligence where we can leave everything to computers to make a decision. We can leave some decisions to computers, such as whether the lights need to be on, what level does the heater or air conditioning need to be on – low level decisions that it’s easier for machines to take.

There should be some kind of manual override. So if the computer thinks the light should be off but you enter a room and you can’t see, there’s still a light switch you can switch on.

There needs to be human supervision because humans excel at spotting the unexpected and responding to the unexpected. Computers are excellent at absorbing mundane things which are boring for humans to resolve, but there will always be that scope for humans to spot something unexpected and take control.

So there’s a new profession on the horizon for a sort of cyber custodian who monitors these systems in buildings or larger town and city networks, potentially making little tweaks here and there when the computer hasn’t got it quite right, and taking control when something unexpected happens.

IG: How would you define smart cities in a nutshell and where does security fit into this paradigm?

ML: It’s all about using computing devices to optimise the operation of a city so it can better serve the needs of the people who live in them and work in them and, most importantly, so we can make people’s lives easier and make the city more efficient. So we’re reducing costs and providing a better service and that has to be the goal of smart cities.

The common denominator between the smart city and the secure city are the sensors, actuators and connectivity. But really all we’re doing is deploying a new tool to help existing services become more efficient.

So we don’t need armed police on every corner if you’re doing the monitoring and analysis right; you’re just making existing law enforcement functions better at their jobs. It’s not about an Orwellian, all-seeing state; it’s just about making everything that we do now that little bit easier, that little bit more efficient, that little bit better.

The power that we have within IT systems now makes connectivity such a powerful tool – so long as you’ve still got your goal in sight and the IT is a tool to serve that. Tesco’s goal has always been to sell goods to their customers and that remains the same. The minute you run a supermarket but you start to think you’re actually just an IT company – that’s when you’ll start running into problems.

IT is just a tool, but it’s an important and a powerful one.

IG: The idea of computer networks transforming everything around us has been around for decades but it’s only now that we have the bandwidth and technology to make it happen…

ML: Oh yeah, I know. Sometimes it really scares me because this whole IT revolution – which has been going on since the early 70s – is a new industrial revolution and we’re in the middle of it.

It’s all about being able to put more transistors on an integrated circuit for a cheaper price and same with the bandwidth.

And in parallel we also have similar changes in the amount of data we can store and the cost of that storage. So all put together you can see this revolution accelerating into the distance.

Exactly what we’re going to do with it, I really don’t know! I’m certain that it’s going to involve sensors, actuators that are connected together by internet connectivity in some way and I’m certain that it’s also going to involve the collection and storage of data, which can be analysed and decisions can be made on that.

Even five years ago it would have been difficult to imagine the possibilities we have now and I’m sure in five years time we’ll look back and think “we were so naive in 2014 with the applications available to us”.

But one thing that I am certain of is that there will be vulnerabilities in these systems and there will be people actively looking at ways to turn these systems to illicit profit or to achieve their own personal grudges or goals.

We’ve got this physics-driven revolution which is going to certainly make our lives better, but we also need to consider that we’re not perfect at writing software, so we need to harden things as much as we can.

Human nature is to look for the opportunities. How can I make money? How can I make things better?

But we also need to ask: how could this go wrong? Are we sure this is safe? How do we make sure that we’re minimising our risks?

You can get lost in the enthusiasm of deploying new things.

The risk profile is changing and we need to be aware of that. We need to know that yes, some risks that existed yesterday have maybe gone, but we’ve now got new risks.

Humans have got about 50,000 years worth of experience in the risks of fire and we’ve become very good at controlling fire, yet still we have instances where things burn when they shouldn’t burn and people get hurt.

With this new revolution we need to be aware there’s going to be a whole series of new risks that we don’t quite understand yet. We can certainly try and imagine what they’re going to be and types of mitigations we need to adopt.

IG: So it’s being as proactive as possible, albeit we’re making a lot of educated guesses on what to protect ourselves against and how …

ML: We know that we can reduce the risk, we can harden systems, but we also need to be able to spot when things go wrong and act on that because we know there’s so much uncertainty about how this risk profile is changing.

It’s not like fire. Fire isn’t going to do anything new and unexpected. The internet of things will – and we need to be ready for that.

IG: Which countries or cities do you think are in the vanguard when it comes to becoming ‘smarter’?

ML: If I put my patriotic hat on I’d like to think that London has a possibility of doing this. We have the innovation and I know there’s a lot of people with the enthusiasm to put British cities the forefront of the smart cities revolution.

But we have an awful lot of competition with other major world cities and countries, like Dubai and Quatar, that can put an awful lot of public subsidy into creating these kind of environments.

IG: What about developing economies, like say Indonesia, which are growing rapidly but perhaps are lagging in terms of infrastructure?

ML: To be honest I don’t know. I would imagine that the smartest or most connected city will possibly be somewhere which is expanding quite rapidly, is quite cash rich and will probably have a tradition of public sector direction. So Singapore would fit that or somewhere in the United Arab Emirates.

But there’s no reason why it can’t be Europe.

IG: Because the whole idea of smart cities is premised on connectedness and common standards would you say it’s important that there’s coordination between agencies and across industries?

ML: Yes. I think there are lots of people throughout the world, lots of different groups, that are thinking about these kind of issues and building new systems and prototypes. And I think in general we’re all going about it in the right way.

As ever, the thing that worries me the most is educating the customer. So a customer needs to specify that security is needed in a deployment otherwise it won’t be supplied. We need to make sure that the customer’s educated so that security is part of every deployment and is specified in requirements contracts.