Hastened by the rise of IoT, digital and physical worlds are merging into one. Digital technologies are at our every turn. They are in our buildings, utility systems, transportation systems, healthcare, our homes, and our cars--and let's not be silly, the list goes on and on. A mishap in the digital world can have tangible, sometimes life threatening, impacts on people and their environments. That being said, the traditional backbone of security--confidentiality, integrity, and availability (CIA)--will no longer suffice when the physical safety of individuals and their environments are at risk as a consequence of the "digitalization" of society.
How did it happen…?
The Internet of things (IoT) results in a less expensive and more flexible means to initiate changes within our physical environments by using fit-for-purpose technologies. Conversely, this heightens the level of risk attributed to organisations utilising these technologies. Moving away from the traditional IT requires a shift from traditional security as well to tackle these risks effectively.
Organisations eagerly lap up the proficiencies and accessibilities attributed to the advancements in digital technology, many unaware of potential risks to physical security. Consumers are keen to obtain and use the latest technologies on a whim (the early adopter syndrome). The ambitious union of Internet, people, computers, and things is resulting in a rethink of how to secure them all.
The scope of IoT is developed to perform specific tasks with functions in the physical environment, resulting in physical change within that environment. Instantly, digital weaknesses have the power to compromise lives and environments and not only data!
This new reality is causing a shift in roles too, as the integration of safety is now imperative. Where once physical safety was primarily the responsibility of the operational technology (OT) and scarcely a consideration for the information security team, now IT, OT, and IoT must collectively ensure physical safety. The resulting merger of operational technology with information technology brings about joint security and safety challenges that were not prevalent before. (Need a job, anyone?)
All parties are concerned for the challenges resulting from this tech explosion--those manufacturing the devices, the businesses and consumers utilising them, as well as the IT professionals whose responsibility it is to manage them.
Just like that, the shift to the CIA+S model is brought upon us. What does this mean? The CIA model focuses on the security of data. Responsibly must now go beyond the security of data. It must shoulder the physical safety of the people and the environments in which they play, work, and live. Security must be designed to incorporate new as well as existing technologies from the core but also include connected systems and devices, speaking to the crop of new IoT devices . This is driving the development of new cybersecurity skill sets, procedures and technologies, perhaps a welcoming opportunity for those working in the field.
Out with the old and in with the new…or is it really?
The CIA model has served as the fundamental operating principle for information security systems for as long as I can remember--it spans decades. The critical role of ensuring the safety of people and their environments due to the rise of more encompassing technology is reshaping this model. Now, organisations have the tough job of ensuring that their cybersecurity is up to snuff and to adapt to changes of the growing technological landscape, thanks to the eruption of digital tech impacting our physical world.
Putting it simply, we're screwed unless we get our acts together. The unceasing cycle of cybersecurity failures of late is culminating in increased security risk, both cyber and physical. The inability to substantially mitigate some of these risks has shown that more is required from the security model. Don’t get me wrong, by no means is this the end of CIA and by no means is CIA no longer required. These pillars of security still stand! CIA+S should be viewed as an extension of the CIA model which will assist with protecting against the new risks -- those impacting the physical world, advanced by the IoT.
Self-driving cars are now all the hype. On the May 7, a man was confirmed to have died in a fatal crash as he was driving a Tesla while using the autopilot system. This is a perfect example of the unspeakable physical impact that can result from failing technologies.
Why is it that we experiencing exasperated failures in cybersecurity? A main reason is that the security challenges we are facing are different. Each device has a different functionality, varying capabilities, and different vendors. Differing types of data and amounts of data are processed. The potential security risks that each inadvertently impose also vary. The challenge of keeping abreast and supporting the infinite numbers of devices and their potential vulnerabilities is alarming. (Just think about what app developers have to deal with when they have to build for a multitude of Android devices--there are just too many to keep track of.)
Moreover, standardisation in this area leaves a lot to be desired--there's simply nothing out there that all IoT manufacturers acknowledge and follow--and as such, each manufacturer may be taking a different approach to securing their devices, if they're bothering at all.
We are faced with a multitude of layers to address. The devices themselves are vulnerable as well, but let's not forget their supporting platforms either. Many of the devices are built using open source resources (and different flavors of Android) and this in turn may be cause for further vulnerability. The software utilised for IoT may too be vulnerable to threat. Further, vulnerabilities can be related to function--how and where it is used. What happens when it malfunctions? Well, it all depends where you are right now.
Solely protecting data is no longer sufficient, and safeguarding the confidentiality, integrity, and availability of data only does not cut it. To alleviate the physical risk, organisations must take responsibility for providing physical safety for both people and their environments and this should be incorporated with the security practices undertaken from adoption and implementation of the technologies within the organisation.
Why does this all matter? Previously, systems were considered isolated and thus, secure. However, IoT presents the ability for devices to communicate outside of these secure boundaries. Devices are becoming more intelligent to meet changing business demands. Forces and changes in technologies, products, and services and how they are impacting people and their environments is propelling the evolution of cybersecurity.
As mentioned early on, this more comprehensive approach will open doors to new cybersecurity skillsets. Organisations will need to adopt innovative practices, including those for:
- safety engineering (ensuring systems are engineered with physical safety at the forefront)
- machine-to-machine communications (including IoT and automation skills)
- embedded software for controlling devices
- systems security
- cyber-physical systems (where computers and networks monitor and control physical processes).
Furthermore, developers will be required to have more expansive development portfolios which embrace real-time and event driven applications on a multitude of varied platform types. Now's a good time to become a software engineer too, in case you were looking for a new gig.
Confidentiality, integrity, availability, as well as safety, is the integrated mandate for cybersecurity for the organisation of 2020. When uncovering the layers, what do they all mean? The triad CIA, well known within the security community, is the model to assess and respond to threats by separating information security into the three fundamental components.
- Confidentiality: Keep your secrets private! Confidentiality supports the principle of ‘least privilege’ by stipulating that only authorised individuals, processes, or systems should have access to information on a need-to-know basis. Doing this deters espionage and data theft, both threats to confidentiality.
- Integrity: Integrity is the principle that data should be protected from intentional, unauthorised, or accidental changes. Controls put in place should aim to limit potential exposure to any modification of data. Viruses and malware compromise the integrity of systems that they infect.
- Availability: Keeping services running, allowing access where intended, and managing access appropriately is what availability is all about. Availability ensures that the data is available and accessible when needed. Practices should address the main areas which have potential to cause disruption to availability, those include denial of service attacks, data deletion, and loss of service due to disaster (manmade or natural).
This is all good until the IoT is thrown into the mix. Now, we find ourselves with the challenging task of securing people (stopping their tech from harming or worse, killing them!) and protecting their environments too. Suddenly, the goals and objectives that were previously met are not. Gaps in our security are now visible, gaps that once did not exist. Unfortunately, the risk is no longer only to our data but is now further elevated to have a physical impact as well. How do we tackle this?
And this is why the Safety Principle is incorporated-CIA+S is born.
- Safety: Ensuring the physical safety of people and environments from technological failure. This could be a sensor or a device initiating a change, positioned at the boundary between the business and the user/consumer. Ensuring physical safety will require a degree of transparency to consumers with regards to the services and technologies used by them.
Let the journey begin
Organisations must consolidate cybersecurity efforts to safeguard across broader technology expanses and address volatile technologies. This requires cybersecurity governance, strategy, and planning to cover all areas. Employing new approaches to cybersecurity in access, defence, governance, detection, and response can balance the risk. Embracing a cohesive security strategy for traditional IT, OT security, physical security, and securing IoT, while focusing on the safety of the individual and the environment, can accomplish a more comprehensive security approach.
This forward-thinking attitude to security is the future of security for many businesses embracing IoT. Where this is the case, securing these technologies as well as the people and environments utilising them is a necessity. The reality is that IoT, a digital technology, makes changes to the physical world, which without appropriate oversight, can impart catastrophic results!
Fortunately, there are organisations that are working together to effectuate change. These changes will have a direct outcome on the way cybersecurity teams approach security to adapt security models to meet these changes effectively.
We must protect the physical safety of people and their environments to avoid the innovation in technologies being overshadowed by destruction that they may leave in their wakes. As it stands today, we're doomed. Let's hope things improve for the better in the coming months and years.
Photo credit: Shutterstock