I have been hearing for a while that « cybersecurity is a process » and that one of the issues with executives is that they don’t understand that: most of them think that cybersecurity is a problem that should be solved by engineering.
When you think about an online service’s lifecycle, it all makes sense. The service is deployed on servers sitting in a secure data center, then to more servers if needed; then, the service is updated to a new version, possibly moved to a new cloud provider, and all of this is quite transparent to users. Basically, security must be part of the normal lifecycle, continuously adapting to the new hardware, new software, and new threat environment.
IoT security is different, of course. IoT is about objects, not services, and securing objects is different. Their hardware is fixed, and people buy an object with a set of features, not a service. Things are evolving, of course: Tesla is selling an Autopilot service, complete with security and functional updates. Many smaller devices also come with online services. For instance, a remote thermostat comes with a service that monitors meteorological data, in-house presence, and many other parameters to optimize target temperatures. For such services, security is, of course, a process, like for any other online service.
Yet, most people buy cars, even Tesla models; people buy connected thermostats, even if they are useless without the accompanying online service. For most consumer connected devices, the online service is free (for life, whatever that means), but the consumer has little guarantees that it will keep working for a long time. Naturally, professional contracts are a bit clearer: companies pay for the connected devices and for the related services, but they get additional guarantees, for instance, that the service will run and support their devices for at least 5 years.
Companies usually have a business view of it: a device is supposed to last for 5 years, so it is financed over 5 years, including support and associated services. After 5 years, the device is evaluated; either it is replaced with a new one, or it still works fine and its support and associated services can be continued for a few more years. The U.S. Senate is trying to formalize this for federal suppliers.
What happens when a consumer’s connected car ages?
So, what happens when a consumer’s connected object ages? Let’s consider a connected car, for example:
- For a few years, everything goes fine. The manufacturer regularly updates the car software. The features may evolve or not, but security threats are taken care of. The servers also keep working without problems.
- After a few years, things become more difficult. Some services start to disappear, either because they are outdated and the server doesn’t work anymore, or because they are flawed and cannot be fixed. But the car keeps working.
- Then someday, maybe after 10 years, a key hardware component gets defeated by hackers, to a point that software can’t fix/mitigate. From then on, the car is accessible to hackers. So, what should be done? Should the manufacturer disable the hardware (i.e. the car)? Should they be forced to design a replacement part based on more robust/recent hardware? But then, for how long?
Basically, the problem comes from the mismatch between hardware and software. Let’s make a parallel between computers and connected cars: In 2037, using Autopilot on a 2017 Tesla will be like running a 1997 version of Apache on a 200MHz Pentium Pro/Windows 95 machine in 2017: a very risky business.
The difference between consumer and business IoT is the ownership model (or more generally, the business model). Some people may always lease new cars and basically act like businesses, but some people keep their cars for 10 or 20 years, and some people buy used cars.
IoT security is a process is a service
Connecting cars is a great idea, but it doesn’t work well with the current car business model. There are many reasons that would push us not to own cars in the near future, and security is one of them: We shouldn’t own connected cars, and simply use a transportation service. Then, things become much clearer: It is the service provider’s duty to maintain the cars, software, and hardware, and to replace the cars when they are not secure/safe anymore.
More generally, IoT is a service, and IoT security is a process. The IoT « devices » are just a part of the hardware required to implement a given IoT service, even the big ones; they are just like the servers on the backend side, under the responsibility of the service provider, and their sourcing and maintenance should be under their responsibility.