The (In)Security of the IoT

Several announcements in July have focused attention on security vulnerabilities and risks in the Internet of Things. Siemens announced an update to fix vulnerabilities in its SIMATIC automation system for energy management. Ponemon Institute, jointly with Unisys, announced its report on security vulnerabilities in critical infrastructure. And HP announced its research on vulnerabilities in IoT devices.

These announcements all have significant implications for the security of the Smart Grid and for our work in SPARKS. They put the spotlight on the essential role of device security in Smart Grid, an area that SPARKS is looking at detail. But it is also important to recognize that the vulnerabilities fixed by Siemens and explored in the Ponemon and HP reports are only part of the risks that need to be addressed in order to secure the Smart Grid.

In May, Alan Webber, Principal Analyst at Asymmetric Strategies, wrote a blog for RSA in which he explored “3 Key Risk Areas in the Internet of Things”. He included vulnerabilities in IT-managed devices as the third of these key risk areas. But he also called out, as the first risk, vulnerabilities in devices that are not under IT control and, as the second risk, vulnerabilities in infrastructure systems such as fire suppression, building management and so on.

At the RSA Conference in February 2014, Eric Vyncke, Distinguished Engineer at Cisco, presented an even more comprehensive view of the risk areas in IoT, discussing such issues as the risks implied in multi-party networks, in the discrepancy between crypto lifetimes and device lifetimes, and in attackers using tools such as using Shodan to find critical systems to target. Jeff Schutt, Solution Architect at Cisco, discussed this further in his session at CiscoLive 2014, proposing an “IoT Security Threat Framework” that suggests various strategies for responding to IoT attacks, depending on when the attacks occur within an attack continuum.


Although SPARKS is focused on Smart Grid, rather than the broader range of systems encompassed in IoT (or IoE, “Internet of Everything”), we will certainly be taking advantage of this and other research in IoT threats and responses. But it is clear to us already that there are important areas of risk that need at least as much attention as device vulnerabilities, such as social engineering attacks. And there are even more fundamental areas of vulnerability, such as in the blind spots created by old models of security, old models of risk, old models of security and, as my SPARKS colleague Thomas Bleier pointed out, our often unquestioned mindsets – such as the natural tendency of all of us to view a project as finished once the initial deployment is done, rather than viewing the project as an on-going process. As Alan Webber wrote in the blog mentioned above: “companies have a chance to build a foundation for the security issues related to the IoT, starting with assessing their risks in non-traditional IT areas.”  We in the SPARKS project hope our work will be instrumental in building that foundation.