Six Questions for IoT Security Expert Dan Lohrmann

By Mary Catherine O'Connor

Whether you're instrumenting your factory with sensor networks or designing a consumer product that leverages Internet of Things technology, Security Mentor's chief security officer says you need to set your security strategy early.

Dan Lohrmann has nearly 30 years of experience in cyber security, including stints at the National Security Agency and as the first chief security officer for the state of Michigan. Lohrmann currently serves as chief the strategist and chief security officer at Security Mentor, which provides companies with security awareness training. We asked him a few questions about data security and privacy issues that end users (or potential end users) of IoT technologies might want to think about regarding their upcoming projects.

IOT Journal: The IoT has such a massive range of applications, including consumer-facing exercise and health-care aids, predictive maintenance systems embedded in factory equipment, intelligent lighting and safety systems that are part of smart city projects. From a security point of view, what applications or sectors do you feel require the most attention?

Dan Lohrmann

Dan Lohrmann: I recommend approaching this from a data-centric viewpoint. If sensitive data—and just a note that some prefer using the term personally identifiable information (PII) over sensitive data—is being collected, stored or transmitted in an application, those IoT apps and devices require the most attention.

The difficulty comes if IoT devices that process less-sensitive data can become "back-doors" into networks that contain more sensitive data. For example, could a Wi-Fi-connected kitchen appliance provide a trusted connection to a PC with tax information on it?

Another tricky topic is geolocation, especially when it comes to consumer devices. While some people may not care if their heart rate or number of steps is revealed via a smart wristband app, does that wristband also report where you are jogging? That data can cause privacy concerns that affect safety issues. The question becomes: Who can legitimately see this data?

IOT Journal: The government is an important player in the emerging IoT ecosystem, and we've reported on a number of smart city deployments around the world. In the United States, the public-private partnership U.S. Ignite held a major summit this summer and is really pushing to instrument city infrastructure with sensor networks in order to improve transportation, utility services and environmental health. In smart city deployments, what are the top security issues and vulnerabilities? What safeguards should cities and vendors—and even citizens—take?

Lohrmann: I like to use the simple categories of people, process and technology to describe smart city deployment issues and security solutions. I would start with a series of questions to complete project plans. The difference in new smart cities technologies is that they often lack the access controls, logs and other security features built into more traditional infrastructure platforms.

On the people side, determine what data are you collecting and storing. Why? What are you using the data for? Who has access? Is your staff trained? What is the privacy policy? Can citizens see their data, or "cleanse it," if needed?

On the process side, do you have a clear concept of operations? How are IoT devices and capabilities integrated into your wider government operation centers? What do you do if something goes wrong? Is there an incident-management plan? Are different scenarios tested, and are the actions required of staff clear and repeatable in an ongoing way? For example, what do you do if sensors fail or an emergency situation occurs? Even if everything is working correctly, what actions are required to ensure proper ongoing functions are maintained, such as monitoring logs and responding when appropriate?

The technology issues revolve around the platforms being deployed and the security controls that are available and are in place by the vendor. Ask if you are running the highest or appropriate level of security controls available. Where is your data stored? Is the data encrypted at rest and in transit? What about patches and upgrades? Does an ongoing operational and budget plan address using the technology in the long-term, and not just for a few months or a year? In government budgeting, "one-time money" is sometimes used to purchase the latest innovative devices, but when the funds run out, equipment can quickly become out of date or no longer be covered under warranty for needed software or firmware upgrades, etc.

IOT Journal: IoT security can be a real vulnerability, but it's also an opportunity. I've seen some IoT hardware players acquire security software companies recently, and Honeywell and Intel just announced a partnership through which they're integrating Intel Security's McAfee technology with Honeywell's Industrial Cyber Security Solutions for industrial IoT applications. Where are you seeing the most growth and potential in the IoT security market?

Lohrmann: At the moment, IoT is still a buzzword globally for many organizations with too much hype and plenty of confusion. In some cases, companies are just rebranding and marketing their latest version of a traditional product to become an IoT product. Nevertheless, the low-end health market—smart wristbands, etc.—and the higher-end smart-cities and industrial markets are taking the lead.

There is a lot of opportunity in integration of disparate systems and platforms. Industry needs to adopt common standards and business models for IoT, and it must address significant baseline issues regarding privacy and security. Sadly, far too many IoT devices are coming out with minimal security controls at all in their 1.0 versions.

As for advice: I've been telling security pros for more than two decades to "follow the money." The same applies with IoT: "Get on board the boats leaving the dock." As new products become hot sellers, there will be a huge need to securely configure, monitor and manage these IoT devices and platforms with security controls and, sadly, after-market enhancements to security that was not built in up front.

As far as connected cars, health care and smart homes, a lot of money is going into research and new, innovative opportunities, but consumer products, like smart appliances, are slower to take off in most markets due to high cost. The prices will start to drop in 2016 to 2017.

The big auto companies, health-care products companies and large tech companies are investing heavily in IoT—such as Cisco reinventing itself as an IoT company.

IOT Journal: Google-owned Nest is likely the smart-home product best known by consumers. Last year, Google purchased DropCam, a maker of streaming security cameras for the home—and the subject of a widely cited hack. Nest recently announced the Nest Cam, the first new product to leverage the DropCam technology Google acquired. What do you think of the security and privacy protections that Nest uses?

Lohrmann: Like many IoT products, Nest has security holes. One of those reported vulnerabilities was a hardware backdoor that anyone with a USB port could use. I like this Black Hat presentation from 2014, which pointed out the strengths and weaknesses inherent in Nest at that time.

I would say that I have little doubt that Google will close the Nest security holes as quickly as they can. Nevertheless, there is no doubt that we will continue to see problems with Nest security and privacy features going forward.

I suspect that, taking a big step back, people will trust companies like Google and Microsoft more than smaller startup companies with their security, despite these setbacks, because of their name and the trust they have built with consumers. Where new companies are very successful, as Nest was before being acquired, I think you will see those companies acquired and rolled into the tech giants.

For example, look at the security and performance around Google's cloud offerings. Yes, there have been failures and even network outages. And yet, the overall use continues to grow dramatically. I predict we will see the same with IoT.

IOT Journal: In general terms, there are many best practices for approaching data security with respect to IoT products and services—people often say things like "bake security into the product design." But what are the most important specific suggestions you'd give, say, a startup that is entering the market, no matter what type of IoT product or service it is developing?

Lohrmann: First, start with picking your secure IoT foundation. What is your IoT platform? I am not advocating any one specific vendor, but one example is Intel's IoT platform, which is a combination software and hardware and uses middleware from Intel subsidiary Wind River and security tools from another Intel subsidiary, McAfee.

Second, think end-to-end. How will your customer use your device or service? Offer a complete solution, or find a partner that can integrate new products or services with existing networks and other systems. This integration could be as simple as accessing a secured Wi-Fi system with an appropriate password, or may involve complex interconnectivity with enterprise-wide databases in another company across the country.

This integration must also address the authentication and access control issues. Who is allowed to do what? Is there a "single-sign-on" system that allows administration from some type of universal controller—almost like a universal remote for TVs, DVD players, etc? Single sign-on systems are usually good; they make products easier to use and administer. The key becomes ensuring that whatever security system is deployed for your IoT devices takes into account the appropriate security controls for that solution. This article details the pros and cons of single sign-on solutions.

Third, look at best-practice deployments in your particular IoT space. Look for success stories to emulate. The website Titans of IoT has some good ones.

IOT Journal: What should governments or large enterprises that are buying IoT products and services be looking for?

Lohrmann: First, have an IoT plan and think through policies that need to be in place to deliver results. Map out a vision for your enterprise and lead the charge. Second, IT leaders must build security provisions and cyber-protections into current and new IoT contracts. From relationships with banks to the purchase of utility services, public-sector business leaders can make a difference.

The best way to influence the privacy of today's citizen data and the future of the Internet of Things is by strengthening the contract requirements in the procurement process. For guidance on ways to strengthen privacy protections, look to the federal government's FedRAMP program, which requires standard contract clauses laying out privacy and security safeguards be included for systems that access cloud-computing resources. You can read more about FedRAMP contract requirements here.

Third, act now. It's not an overwhelming as you might think. When I see the claims and counter-arguments being made about IoT security, it reminds me of the early days of cloud computing. People are still asking: Can we secure the cloud? The simply answer is no, not the entire cloud. Still, you can secure your cloud. We can secure individual computer systems and applications connected to the Internet in your situation. You can secure your corner of cyberspace. Strive to secure your IoT project and not take on the unwieldy global world of IoT.

But don't wait for perfection, because, just as with current Internet apps, we will never have 100 percent secure systems.