Despite warnings from a number of industry analysts and vendors organizations still arenโt prepared for the security problems that the Internet of Things is bringing, says a senior Intel official.
โI think people are failing to plan or accommodate just how pervasive it will be,โ Scott Montgomery, vice-president and chief technical strategist of Intel Security, said in an interview Tuesday. โItโs going to create new attack vectors for adversaries.โ
For example, he pointed out, in the U.S. alone the remote cardiac monitoring market will be worth US$1 billion this year, raising the spectre of an attacker holding a person wearing a pacemaker hostage. โItโs a scary implication,โ he said, in part because health care practitioners arenโt concerned about the safety of approved devices, just about their patientโs care.
Similarly, he added, there was an attack by an unknown adversary that temporarily knocked out a power system in the Ukraine.
โI think organizations are failing to encompass in their planning just how many devices will wind up with an IP address,โ he said.
The comments were part of a wide-ranging interview Montgomery gave to ITWorldCanada.com from Toronto, where heโs on a three-city roadshow (the others are Montreal and Ottawa) where officials from his division are speaking to partners and customers.
Intel Security is the McAfee products branch, responsible for endpoint, data leakage/classification tools, SIEM, network malware detection tools and intrusion prevention products. In fact Montgomery came to Intel when it bought McAfee in 2011.
As sales of PCs are slowing, Intel is shifting to focus on powering data centre infrastructure and the Internet of Things following a restructuring and the layoff of 12,000 announced last month. Although the data centre division pulled in US$4 billion in the first quarter compared to Intel Securityโs US$537 million, the company has high hopes for security: Sales were up 5 per cent over the previous quarter and up 12 percent year-over-year.
Still that was after some pruning: Last fall Intel said it was ditching some products that werenโt selling well (including email security solutions) and sold its next-generation and enterprise firewall products to Ratheon/Websense.
The IoT is often on Montgomeryโs mind, particularly in the context of the vulnerability of essential industrial infrastructure. Often news reports of attacks point fingers at foreign countries. But Montgomery says the focus is better spent on what went wrong rather that who allegedly did it. help unify IoT standards, including guidance for best practices in creating secure APIs. Intel itself is also creating toolkits and frameworks for those who its chips in IoT devices.
Montgomery also insists that large industrial device makers such as Honeywell and Siemens are taking IoT security seriously. When Exxon Mobile recently put out an RFI for modernizing its physical infrastructure, he added, it included requirements for device safety, privacy and data visibility.
Ultimately, he said, โit will be dollars and centsโ and not a sense that security is a good idea, that will drive manufacturers to improve IoT security.
The IP-enabelment of everything is one of two vulnerabilities he worries about. The other is what he broadly calls โdata challenges,โ meaning the failure of organizations to properly protect sensitive information.
โOrganizations are a little bit lax in protecting the most valuable data assets with the most scrutiny. They kind of use a rollerbrush technique and try apply a one-size fits all.โ Data classification โwill allow them to be a little bit better prepared.โ
Lines of business owners have to tell infosec teams what is real value in the data so IT knows where to marshal its resources, he says. After all, he argues, itโs unlikely CISOs can prevent breaches, so they have to best protect the corporate jewels.
Failure to do so is one of the two pre-breach mistakes infosec teams make, he says.
The biggest post-breach mistake failing to create a containment plan. โMost organizations spend all of their time on pre-breach planning and have nothing documented on post-breach โฆAnd what this leads to is timing chaos and organizational chaos.โ