As these technologies and the data behind them converge, a single breach can have massive consequences.
Fortunately, PTC didn't make the mistake so many other vendors make:
After a full year of seeing security issues downplayed at most events, good to see PTC putting issue in spotlight. PTC's Josh Corman gave strong talk on IoT security, and shared PTC's IIoT's Cyber Safety shared responsibility model - PDF -> https://t.co/rIEqsdOyoG #LiveWorx pic.twitter.com/PIsmyWVROP
— Jon Reed (@jonerp) June 11, 2019
Corman began his talk with a warning for those who believe in our so-called connected future. 96 percent of auto accident fatalities are the result of human error. But, Corman asked: what happens when there is one high profile fatality caused by machine error?
With great connectivity comes great responsibility.
We can't allow for a crisis of confidence.
Ahh, but how do you avoid that? PTC addresses that in their shared model for IIoT safety and security. If I had to pick one tactic, I'll take Corman's frank statement: we're all going to get hacked. The goal is to limit the damage a hacker can cause.
Corman referred to rampant personal credit card fraud. That's different than a massive enterprise database being compromised:
It's not that I don't care about those [individual credit card] failures - it's that those failures are tolerable losses. What I was worried about is even with 80 billion dollars spent annually on cybersecurity controls, we still have a pretty high failure rate.
As for the Fortune 100:
If you look at the Fortune 100, our [collective failure rate against breaches] is about 100%.
That doesn't mean the security industry is incompetent. Rather, the adversaries are formidable:
It's an evolutionary space. The adversaries make moves, we make countermoves, back and forth.
We are the IoT security cavalry
In other words: the cavalry isn't riding in to save us. To borrow from a grassroots security initiative Corman helped to start six years ago, we are the cavalry (see: I am the cavalry). Now that he's at PTC, Corman sees the scope of the security problem escalating with IoT and connected devices. He compared the ten million lines of code in Windows XP with modern vehicles:
Now make that a hundred million lines of code, because that was the average number of lines of code per vehicle just three years ago. So it's actually much higher now. How often do you patch your vehicle? Do you ever patch your vehicle? Could you if you tried? Would it be as graceful, or seamless as your Windows update?
Extend that to other industries:
If we don't know how to secure mobile phones, Equifax, Target, how can we secure medical devices? Hospitals? High speed rail? Aviation?
Thus PTC's vocal security stance:
We've always been about balancing the promise and the peril of connectivity.
Corman urges us to go after the tougher problems:
I try to drive a lot of heat and light on the safety aspect. If we solve for that harder problem, we will also get better at the more tolerable losses.
We can't wait for tougher data privacy regulations in the U.S., but: tougher/smarter public policies would help. Corman said despite some exposure of sensitive health care data, we still don't have the public outcry to force the political will to bear down on this. Even with GDPR, progress in California, and more legislative movement in both houses of Congress, most of us can't count on that regulatory umbrella just yet.
Is losing a power grid a tolerable risk?
When we talk about what security losses are tolerable, how about taking out a power grid? Would that be tolerable? Probably not. And yet it's happened:
We have known for many many years that the power grids were vulnerable. I hope you all go to the Cybersafety Village on the Xtropolis show floor. We have the industrial controls hacking village there that talk in gory detail. We can demonstrate for you how easy it would be to perpetrate those attacks. We've known you can take out power grids, but now it's been demonstrated on the world stage, with Russia taking out the power grid in the Ukraine at least twice.
Corman brought up hacking tools like Shodan, which allows probing for unprotected devices:
Instead of searching for cat pictures on the internet, you can search for connected devices naked on the internet... We've known for a long time that anyone with the means, motive, and opportunity can use Shodan to find an oil and gas pipeline or a water treatment facility or a dam and open the dam. Maybe flooding what's beneath it. The Department of Justice, a few years ago, starting unsealing court cases where Iranian hackers have been indicted for doing just that.
Hard-coded passwords with admin privileges are easy to exploit, at an untolerable scale:
It's almost a misnomer to call it hacking. You can log in with something as simple as "admin admin," and have a cyberphysical impact.
One obvious step is to limit privileged credential abuse. Another big concern: companies that emphasize connectivity, but won't budget for adequate security:
The sober reflection says, "You love the connectivity, you like connecting everything to everything else," but a lot of industries won't talk about the burden and responsibilities that come with that, to do it safely and responsibly. They say, "We can't afford it."
Yes, some companies run very lean, such as local health care operations. Corman has a message for them:
If you can't afford to protect it, then you can't afford to connect it.
Corman goes further: if you can't make "survivable, resilient, maintainable, updatable, safety-critical IoT," then you shouldn't be able to legally conduct IoT business. One good starting point? A "software bill of materials," which shows you which machines are running which programs, and the version number. He cited the example of a hospital that learned of a malware threat for a specific device and software version. They didn't have the SBoM, so they couldn't determine which device was implicated. If they had that visibility, "I take 20,000 potential targets down to maybe three."
The wrap - "we're having some hard IoT security conversations"
Corman went into the nuances of bills that have yet to make it through Congress during election season, and probably won't make it for the foreseeable future. Still, there is growing awareness that connected devices "should be patchable; you should have no fixed passwords, and you should have a welcome mat to hackers hacking in good faith."
Similar legislation has already passed in the UK, and by 2020 in California, any IoT devices are subject to what Corman cited as "meaningful and reasonable security controls." These steps, which Corman cited as fantastic, are not a cure-all:
They're not going to prevent a nation state adversary from perpetrating cyber warfare. What they might do is raise the bar for rank and file IoT devices. so we don't see massive tsunami of technical effects in the form of Mirai Botnets or whatnot.
Then Corman said something that genuinely surprised me:
So Jim [our CEO] is, and remains willing, to part ways with some of our historic customers if they're going to put their customers, national security, and ourselves at risk. So we're having some hard conversations with people that have not seen the need to adapt.
Now, when someone's willing but doesn't know how, we have flooded them with resources and assistance on shifting into the mindset and equipping them for their internal stakeholder arguments on why these changes are important and necessary.
I've never heard such language at an enterprise event before. I hope other vendors follow suit. Corman outlined PTC's other IoT security responses - from speaking to elected officials to running their own "ethical hacker welcome mat," aka the Coordinated Vulnerability Disclosure program, or CBD.
Corman warns that time is short. Hackers are moving fast; we will lose some battles, and suffer breaches. But we must press on:
We don't want to slow down innovation.We want breakthrough medical advances to save loved ones that were otherwise saveable.
We can't allow a crisis in confidence to retreat from the promise of digital transformation. Look how exciting everything we're hearing here is. Let's maintain that excitement and exuberance by being responsible stewards of that connectivity.
Updated, 6am ET Sunday June 16, with a few clarifications and resource links.