Home » Data Protection » Network Security

When Everything's Networked

You'll need a strategy for dealing with the hidden risks of Internet-connected air conditioners, door locks and forklifts.

First, even if noncomputer devices (for example, gas pumps) had the same security profile as conventional networking equipment (such as PCs and routers), security costs would go up because risks rise exponentially with the number of nodes on the network, and device networking is all about adding nodes. But noncomputer devices are far more vulnerable than the usual stuff of networks. Most come into the system with no support for network security. No encryption, virus scanners, access control lists or patching support. All these have to be created or added by someone (again, you). Employee training costs are higher because most devices come out of environments in which no one thought twice about securityor at least not about network security. If you thought getting people to follow smart practices with desktop computers was tough, wait til you try training them to think about protecting a networked air conditioner.

Second, the applications for these devices tend to be more dependent on low-latency, real-time connectivity than traditional Net functions like e-mail or Web surfing. Voice over IP (VoIP, referring to telephones connected over a LAN instead of traditional wiring) is a classic example of an application that requires low latency, but you don't want a camera feed or a door lock hung up by a server crash either. Some security professionals believe that wherever possible, networked devices ought to have enough local intelligence to keep services flowing in case of a network failure (a conclusion that the management of Lance James's Arco station probably has arrived at independently).

Perhaps worst of all, device networking provides sociopathic teenagers, disgruntled employees and overaggressive competitors with lots of extremely cool new targets for mischief and mayhem, like locking your elevators, e-mailing files from the printer queue to random recipients, or turning VoIP phones into intercepts for every word spoken in their vicinity. A networked GPS is as able to track a vehicle's whereabouts for a hijacker as it is for a manager.

So who has the answers to device networking's questions? In fact, the CSOs and CTOs of network security companies are the ones who seem to have thought most deeply about the subject, both because it is part of their culture and because a successful hack against a security provider might affect not only its network but its brand as well. These luminaries spell out a couple of ways to approach policy and architecture to help secure the device-ridden networks of the future.