With humans so integral to the Internet and IoT, we'd better understand ourselves in a scientific fashion. We simply haven't developed scientifically valid models. How do we model user behaviors? How do we model engineers' thought processes when they create these systems? How do we model the institutions created by humans that will operate in an IoT world? How do we model an adversary's mindset and behavior to protect such a potentially large attack surface?
The challenge here is that human behavior doesn't have a closed form like math. Encryption, for instance, has a nice, neat, closed form, in terms of how it describes a problem and how it provides a solution. Science is a good way to deal with systems -- like human behavior -- that don't have closed forms. I'm aware that astronaut and pilot behavior has been modeled to streamline spacecraft and jet controls. Digital advertising companies have done online human behavior monitoring for years, with some controversy over privacy issues. Biologists are modeling the behavior of cells. But in the broader, everyday realm of ordinary people, as they interact with IoT, we've only just begun.
I have called for the creation of public-private partnerships that can store and analyze cyber incidents to determine what happened. Human behavior clearly plays a significant role in these incidents and we need to understand that behavior and how to modify it in a scientifically valid manner because the attackers are very good scientists. They build models of how the world works and they incorporate feedback as to whether their techniques are working. We need to have the same sort of savvy.
Myth #4: Software security that works for IT will work for IoT.
On one level, this is not a myth. For instance, the IEEE Cybersecurity Initiative recently published a paper, "Avoiding the Top Ten Software Security Design Flaws," and it's certainly applicable to IoT, though by its stated scope it's not comprehensive. The paper is useful for IT and/or IoT software design in that its chapters discuss fundamental concepts such as "earn or give, but never assume trust," "use an authentication mechanism that cannot be bypassed or tampered with," "authorize after you authenticate," etc.
On another level, however, I think one of the challenges for IoT -- to cite just one example -- is that some traditional, desktop security strategies probably aren't going to work well. What does it mean to patch software in IoT? Certainly, in the industrial control system domain technology is fielded for decades; that gear doesn't get a software patch every month. So practices that are becoming efficient for desktop computing and for traditional IT infrastructure may not be relevant to IoT.
Sign up for MIS Asia eNewsletters.