The importance of cross-industry collaboration

While the majority of this book is devoted to IoT security, the aforementioned IoT use cases clearly emphasize the increasing world demand for cross-disciplined security engineers. We struggle to find it covered in academic curricula outside of a few university computer science programs, network engineering, or dedicated security programs such as SANS. Most security practitioners have strong computer science and networking skills but are less versed in the physical and safety engineering disciplines covered by core engineering curricula. So, the cyber-physical aspects of the IoT face a safety versus security clash of cultures and conundrums:

• Everyone is responsible for security
• The IoT and CPS expose huge security problems crisscrossing information computing and the physical world
• Most traditional core engineering disciplines rarely address security engineering (though some address safety)
• Many security engineers are unaware of core engineering disciplines
  (for example, mechanical, chemical, and electrical engineering), including fault-tolerant safety design

Because the IoT is concerned with connecting physically engineered and manufactured objects, this conundrum more than any other comes into play. The IoT device engineer may be well versed in safety issues, but does not fully understand the security implications of design decisions. Likewise, skilled security engineers may not understand the physical engineering nuances of a device to ascertain and characterize its physical-world interactions and fix them for security deficiencies. In other words, core engineering disciplines typically focus on functional design, creating things to do what we want them to do. Security engineering shifts the view to consider what the thing can do and how one might misuse it in ways the original designer never considered. Malicious hackers depend on this. The refrigeration system engineer never had to consider a cryptographic access control scheme in what was historically a basic thermodynamic system design. Now, designers of connected refrigerators do, because malicious hackers will look for unauthenticated data originating from the refrigerator or attempt to exploit it and pivot to additional nodes in a home network.

Security engineering is maturing as a cross-discipline, fortunately. We can argue that it is more efficient to enlighten a broad range of engineering professionals in baseline security principles than it is to train existing security engineers in all physical engineering subjects. Improving IoT security requires that security engineering tenets and principles be learned and promulgated by the core engineering disciplines (originating in their academic curricula) throughout their respective industries. If not, industries will never succeed in responding well to emergent threats. Such a response requires appropriating the right security mitigation techniques at the right time when they are the least expensive to implement (that is, the original design as well as its flexibility and accommodation of future-proofing principles). For example, a thermodynamic process and control engineer designing a power-plant will have tremendous knowledge concerning the physical processes of the control system, safety redundancies, and so on. If they understand security engineering principles, they will be in a much better position to dictate additional sensors, redundant state estimation logic, or redundant actuators, based on certain exposures to other networks. In addition, they will be in a much better position to ascertain the sensitivity of certain state variables and timing information that the network, host, application, sensor, and actuator security controls should help protect. They can better characterize the cyber attack and control system interactions that might cause gas pressure and temperature tolerances to be exceeded with a resultant explosion. The traditional network cybersecurity engineer will not have the physical engineering background on which to orchestrate these design decisions.

Medical device and biomedical companies, automotive and aircraft manufacturers, the energy industry, even video game makers and broad consumer markets are involved in the IoT. These industries, historically isolated from each other, must learn to collaborate better when it comes to securing their devices and infrastructure. Unfortunately, there are some in these industries who believe that most security mitigations need to be developed and deployed uniquely in each industry. Standards organizations frequently promote this thinking as well. This isolated, turf-protecting approach is ill-advised and short-sighted. It has the potential of stifling valuable cross-industry security collaboration, learning, and development of common countermeasures.

IoT security is an equal-opportunity threat environment; the same threats against one industry exist against the others. An attack and compromise of one device today may represent a threat to devices in almost all other industries. A smart light bulb installed in a hospital may be compromised and used to perform various privacy attacks on medical devices. In some cases, the cross-industry link is due to intersections in the supply chain or the fact that one industry's IoT implementations were adopted into another industry's systems. Real-time intelligence as well as lessons learned from attacks against industrial control systems should be leveraged by all industries and tailored to suit. The discovery, analysis, understanding, and sharing of how real-world threats are compromising ever-present vulnerabilities need to be improved for the IoT. No single industry, government organization, standards body or other entity can assume to be in control of threat intelligence and information sharing. Security is an ecosystem.