IoT And The New Digital Pollution
We have many forms of pollution that plague Humanity and our world. From noise pollution where we can’t escape the sounds of the anthropocene to water pollution choking up our rivers, lakes and oceans. The list goes on and includes air, soil, light and even radioactive pollution effects from Homo Sapiens. And now we’re potentially looking at an entirely new phenomena:Digital Pollution. That’s the risk if we don’t do something now as the number of devices in the Internet of Things (IoT) explodes. Let’s look a little at air pollution for parallels before coming back to IoT.
Skipping back before the current debate over global climate change to the world of the 1960s and 1970s, cities were more smog-bound and toxic in the West than they are now. I won’t say this is true globally because in much of the developing world, there is extremely poor air quality even today. But in the USA and many other first-world nations, smog and pollution-related health issues and environmental damage became intolerable. Even as early as 1952, the Great Smog of London killed thousands and made many more sick; my father recounted this from his own experience at the time.
This came about because of economic growth and scale that had been foreseen. In the case of London, this had to do with burning coal and weather coming together with terrible consequences. In the USA, the same was true in many urban centers from cars. We built cars that ran on leaded gasoline and didn’t enjoy the benefits of things like catalytic converters. At the time, people bought cars and liked what they bought. Car companies sold them and liked selling them. The last thing anybody was incentivized to do was slow down and change the rules regarding lead in gasoline or to require a new component in cars that please neither buyer or seller.
What happened to change the situation?
There was another party in all of this: we the people. The public at large had an interest and, in the end, it took regulation to step in and provide strong guidelines for how internal combustion engines could and couldn’t operate. It was slower than it could have been in a more perfect world, but at the time this was a largely new area. Today, cities still have pollution problems, and there are still massive internal combustion engine-related issues throughout the environment, but the situation was made better through regulation.
What does all this have to with the IoT? Quite simply that we can extrapolate from events like the Mirai botnet and from what we know is coming in manufacturing and has already started and see where the lines intersect. We are faced with the potential, if this isn’t done right and soon, that lives will be affected. If we don’t shore up weaknesses in IoT sooner rather than later, we will find DDoS attacks against critical services are more likely, spying and espionage from compromised devices are the norm and hackers will have enormous, resource-rich opportunities to ply their craft. A bigger, less secure world (amazing as that sounds) is only going to erode the potential of the connected world.
What does IoT done better look like?
- Unique identities for every shipped device. Machines should be uniquely identifiable and trac-able with persistent identities.
- No default, full-functioning identity contexts with or without weak passwords. All devices should have to run with identity contexts or associations with known, verifiable identities.
- Hardware roots of trust that are used for strong cryptographic functions, trusted execution environments, integrity checking, license checking for third-party software and other important functions throughout the life cycle of devices (for bonus points, secure provisioning and IP protection for running code).
- Secure update services that can re-image everything from the firmware up if and as required. (For bonus points, some basic controls for things like rate limiting certain protocols. Do we really need huge ping floods from a camera?)
- Standard telemetry APIs for event and behavioral data to aggregation and centralization (e.g. SIEM, EDR, MDR, MSSP and whatever else might emerge to consume these).
None of us like regulation or want to invite it. It’s anathema in the business world, but it’s time to drive the agenda for “IoT Done Right.” It’s time to start minimizing the exposed footprint of the next device off the line as the industrial manufacturers of IoT devices crank up to full potential and only accelerate.
It’s time to start the dialog. Take a counterpoint. Modify my list above. What matters is that we get the discussion started and guide the regulators before we see the Great Digital Smog descend on the Connected World. Otherwise, it will take years to fix.\