When Everything's Networked

You'll need a strategy for dealing with the hidden risks of Internet-connected air conditioners, door locks and forklifts.

Lance James stopped at the arco station but found "out of order" signs on all the gas pumps. the woman behind the counter was shouting into the phone that the station's network had been down for two days

thus no credit or debit card transactionsand the pumps were shut down as well. James mentioned his background in network engineering and offered to take a look (he's the CSO of Secure Science).

The pumps were connected to the station's local area network. The LAN led to a converter box, which connected to the outside world via a modem. The modem was off. James turned the modem back on, rebooted the main computer, and all the credit card systems went back online.

And the pumps worked.

Welcome to the world of device networking. It's the next very big thing: connecting noncomputer gizmos to a network, like a LAN or the Internet. Some examples are by now familiarprinters, telephones, cameras. But the list keeps going and growing. Besides gas pumps, there are forklifts, elevators, motors, signs, alarms, switches, GPS systems, intercoms, thermostats, vending machines, biometric devices, counters, power supplies, locks, lights, heating and cooling systems, and on and onright now, someone is working to put each of these devices onto a network.

The grand goal is to improve the work product of practically everyone in the enterprise. R&D can monitor the behavior of products that have been installed in the customer's workplace. Facilities management will be able to do a remote visual check of any room in which a fire alarm has gone off. Since networked devices are always on, they generate continuous data streams that can be sifted and filtered and analyzed. Equipment needing repair or replacement can automatically alert the maintenance department. Customer support will know when vending devices need refilling. And all these devices will in turn have access to programs and databases, making them more intelligent as well. (Imagine a door lock that knows which days are holidays.) Harbor Research predicts that by the end of the decade, considerations like these will have brought trillions of devices online and into communications with each other and with databases, analysis programs and human users.

Initially, only one person in the company is likely to have mixed feelings about device networking: you.Start with a Bottle of BayerJames's gas station adventure hints at some of the extremely vexing security concerns created by device networking. Mitigating those risks will cost the CSO time, dollars and probably a fair amount of aspirin as well.

First, even if noncomputer devices (for example, gas pumps) had the same security profile as conventional networking equipment (such as PCs and routers), security costs would go up because risks rise exponentially with the number of nodes on the network, and device networking is all about adding nodes. But noncomputer devices are far more vulnerable than the usual stuff of networks. Most come into the system with no support for network security. No encryption, virus scanners, access control lists or patching support. All these have to be created or added by someone (again, you). Employee training costs are higher because most devices come out of environments in which no one thought twice about securityor at least not about network security. If you thought getting people to follow smart practices with desktop computers was tough, wait til you try training them to think about protecting a networked air conditioner.

Second, the applications for these devices tend to be more dependent on low-latency, real-time connectivity than traditional Net functions like e-mail or Web surfing. Voice over IP (VoIP, referring to telephones connected over a LAN instead of traditional wiring) is a classic example of an application that requires low latency, but you don't want a camera feed or a door lock hung up by a server crash either. Some security professionals believe that wherever possible, networked devices ought to have enough local intelligence to keep services flowing in case of a network failure (a conclusion that the management of Lance James's Arco station probably has arrived at independently).

Perhaps worst of all, device networking provides sociopathic teenagers, disgruntled employees and overaggressive competitors with lots of extremely cool new targets for mischief and mayhem, like locking your elevators, e-mailing files from the printer queue to random recipients, or turning VoIP phones into intercepts for every word spoken in their vicinity. A networked GPS is as able to track a vehicle's whereabouts for a hijacker as it is for a manager.

So who has the answers to device networking's questions? In fact, the CSOs and CTOs of network security companies are the ones who seem to have thought most deeply about the subject, both because it is part of their culture and because a successful hack against a security provider might affect not only its network but its brand as well. These luminaries spell out a couple of ways to approach policy and architecture to help secure the device-ridden networks of the future.

First off, there is the extreme tack: Taher Elgamal, CTO of Securify, a network management software company, doesn't allow devices on his network at all. One reason is that he expects spammers to discover networked printers any day now and doesn't want to put his company in their sights. "Fax spam is bad enough," he says.

Mike Hrabik, CTO of security services provider Solutionary, on the other hand, was an early adopter of networked devices, including cameras, power supplies, air conditioners, generators and printers. According to Hrabik, Solutionary has used VoIP for four years, which is like having had e-mail for 20. His security solution was in its own way as extreme as Securify's: He connected the devices with their own IP network, with separate cabling.To Conquer, DivideHrabik's physically separate network is the belt-and-suspenders, come-hell-or-high-water solution. A less sweeping but still effective alternative is to separate the networks logically to limit which devices can talk to which. James took this approach at Secure Science, in part to control the risks of putting digital printers on his network.

Logical separation is based on the fact that every device on a network has two addresses. The first is defined by the manufacturer and embedded in the hardware; the second is assigned by the network. These are known as the MAC (Media Access Controller) and IP (Internet protocol) addresses, respectively. The latter might be thought of as the street address of a house; the former as the name of the person living in that house at the moment. Packets typically arrive in a network knowing the IP but not the MAC addresses of their destination. They learn the MAC address by polling the device belonging to that IP address; that is, they go to the house, knock and ask who lives there. The first step in logically separating the network is to make sure that the device does not give out the identity of its "inhabitants" to every Tom, Dick and Harry that shows up at the front door. The butler needs to be given a list that specifies whom the master will see. Everybody else gets the door shut in his face.

Separation is defined by building access control lists and enforced by encryption. S2 Security is a startup developing a product that integrates networked management of devicesfor example, video cameras, intercoms, sensors and door lockswith the idea of extending the reach of security personnel to multiple, remote-entry points. The company has two flavors of demo: a remotely controllable webcam accessible from its website, and private presentations it gives clients.

It would, of course, be enormously embarrassing if one of S2's competitors were to break into its product, especially during a presentation, and it cannot be denied that there are people in this field who would be amused byindeed proud ofsuch an exploit. Responsibility for securing S2 from such a debacle falls to the company's COO, Michael Welles. According to Welles, the basic architecture of the S2 system runs browser-to-controller-to-devices. Up til now, most attention has been focused on the browser-to-controller link, perhaps because external connections are supposed to be riskier. In fact, the second link is just as important, but today few controllers encrypt the device end of their communications. Here, Welles can eat his own dog food: S2 makes a product that encrypts both the commands going to the devices from the controller and the device outputs flowing back to the browser. Password protection is laid on top of these encryption layers. External access can come over a VPN or other secure link. Repeat as NecessaryFour general principles govern device networking security. The first is logical separation enforced by encryption (as we said). The second is proactivity. Secure Science's James believes a CSO ought to draw up a comprehensive threat model that includes the risks his company is likely to encounter at each stage of its growth, including important changes in status (such as going public), and build in the necessary protections, including training and standards-setting, as far ahead as possible. "The sooner security measures get built into policies, procedures and architecture, the better," he says.

The third is to use the strengths of the networkits reserves of processing and connectivity resourcesto fight its weaknesses. Networks are built up out of layers of protocols or standards. The physical layer concerns what cables and cards and chips need to know about each other so that they can exchange zeros and ones; the application layer sets the rules by which applications interact; and so on. Good device networking security practice watches activity on several layers at once, from application requests (printers probably should not be Web surfing) to department access rights (why is customer support sniffing around in maintenance?).

"Watching" here means that the network is continuously comparing its current condition to "normal," which is defined by a combination of corporate policy and historical norms. Whenever the network sees a departure from the norm, it rings the authorities, like the credit card companies that call you when your card is used for a transaction in Nigeria.

Fourth, good device networking security is continuously changing. The old security model was like a door lock: Once it was locked, you'd done what you could with the technology. The new model is like virus protection: You have an ongoing relationship with a security services provider that is constantly looking for new threats, doing its own research and installing upgrades continuously. James advises hiring third-party tiger teams on a regular basis to test both your own network and the quality of the advice you have been getting from your security services provider.

These last three principles should look familiar. Proactivity, surveillance in depth and rapid responsiveness are the load-bearing members of every form of security. Every CSO campaigns for them, usually to disappointing effect: Nobody can make the time, being careful is too great an inconvenience, everyday business can't be interrupted for training sessions, it's too expensive and so on.

So perhaps the most important piece of good news about device networking is that its security risks are so egregious, so scary, that they will force companies to implement the security principles they should have been following all along. Certainly any CSO can count on a high level of interest from an executive who has been trapped in an elevator for an hour by a 15-year-old Romanian hacker looking for a bit of recreation.

Copyright © 2004 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.