When you merge the physical and the digital, it’s not just about InfoSec any more. People’s lives could be at risk.
From surveillance cameras to insulin pumps, office tower elevators to smart cars, almost every device imaginable is being given the smarts and the Wi-Fi. That means they can be hit with a cyber attack. And that means that illegitimately changing data can now have a physical impact.
This year’s demonstrations of hacks against smart cars and, in recent years, medical equipment are all obvious examples.
Earl Perkins, a Gartner research vice president, says that for the digital business, data is no longer just a competitive differentiator, or the basis for better decision-making.
“Data becomes an agent of safety and protection as well,” he told the company’s Security & Risk Management Summit in Sydney last Tuesday.
“Our decisions about protecting data can affect people’s lives, and the environments that they live in. And it can do it to a greater degree than ever,” he said.
Even the so-called right to be forgotten might have a safety element.
“Why would someone perhaps be interested in being forgotten? Why would they want to seek privacy? It may be as much for safety reasons as it was for security reasons,” Perkins said.
One of the key concepts of information security is the CIA triad: An organisation’s information security processes must perserve the data’s confidentiality, integrity, and availability. Gartner now considers the safety aspect to be so important that they’ve expanded the the triad, adding safety as a fourth security goal.
To answer that question, says Perkins, we should look back at how we’ve rolled out successive waves of technology in the past. These waves have moved the value of the data away from the core datacentres of mainframe days, out towards the edge of the network. And as we’ve done that, we’ve just built on top of the legacy systems.
“We never threw anything away,” Perkins said. We now have a series of legacy systems stretching from the core systems to users’ devices, desktop and mobile, and the all the things in the Internet of Things at the network’s edge.
“When we added safety into this [during Gartner’s scenario-development research], we noticed that physical infrastructure complexity and automation could conceivably increase risk… When the digital surface increases, the threat surface to protect it increases,” he said.
“We need to look at the concept now where data has physical impacts — literally — in our lives. How does that play out five years from now?”
Well, it seems that organisations are already starting to reconsider how they do business with suppliers, partners, logistics firms, and the rest.
“Now we’re beginning to say ‘What are they doing in this context?’ How are they evolving? And maybe even more important, ‘What is the concept of trust now in the supply chain relationship when you have this level of complexity evolving?’,” Perkins said.
“Will they trust you if you don’t acknowledge or recognise what is happening, and make changes as a result of the way you perform your cybersecurity duties?” he asks.
“This worries me quite a bit, because as a globalised economy, we have unusual dependencies among suppliers that could affect our physical edge environment. Ask the military.”
Perkins noted that we’ve already had cases where some customers refuse to buy equipment from “certain suppliers of telecommunications equipment”, because of the equipment’s source. Edward Snowden’s revelations have only increased that kind of doubt.
Well, the digital explosion of the Internet of Things will only increase those doubts, he says.
“That all just exacerbates the problem, and makes it a more complex discussion, because things [that you sell] are built from other things, and those things come from other sources besides you, and that’s something that we have to consider.”