Cyber Security – What will we do about patches in the world of Internet of Things?
I was in the process of updating and applying the latest patches to my devices. 1 iPhone, 1 iPad (for work), 1 iPad (home use), 1 windows based PC (work), 1 Bluetooth headset (work), 1 Bluetooth transmitter (work), and I thought how is this going to work with the Internet of Things?
It is common part of life with a personal computer that patches, for both security and for applications, have to be applied at regular intervals to keep everything safe and in sync. I never really kept track of the time it takes until it seemed that everyone of my devices needed to be updated at the same time.
My company pushes patches to my work pc and in some cases automatically applies them, others I manually apply. With my limited number of devices this is still doable. But what happens when 1,000’s of devices need to be updated and patched. Particularly for those devices that have no specific owner.
The company IT department does a fine job of testing the latest patches before we are asked to update. In fact it frequently tells us to hold off applying the latest update until they can fully test it. In a fully implemented Internet of Things environment how can this process of testing the patch to see if it causes a conflict within your landscape continue. After all, the company only supports a limited number of portable devices and operating systems. And they can test each of these types of devices and systems to ensure compatibility.
Just think of the number of instruments and other devices that would need to be updated in the Internet of Things. How can any company full test out the patches? With devices controlling chemical processes a “bad” update could have a significant negative impact on the operation of the facility.
I think that there are more questions than answers right now, but here are some of my thoughts:
- Patches / Updates will have to be scheduled and coordinated. Just like we do for shutdowns. In fact I can see this type of update to be part of the shutdown, turnaround, overhaul (STO) process. Any time a process goes down for maintenance, any and all patches be applied and the testing be included in the start up procedures.
- An increased need for standardization of devices and operating systems. Just like in pc support with its limited number of device types, I feel that companies will standardize on a limited number of manufactures and device types to limit the variability in the landscape and reduce testing needs. Of course this increased standardization has other problems; if someone can break the security on one device a large part of the landscape could be vulnerable.
- The need of these intelligent devices to be able to apply the patches themselves, and to report back that the patch / update was successful. And potentially to roll back to the previous working release if the update was unsuccessful. I just can not see that it would be practical to have a person apply and monitor 1,000 of patches by themselves.
- New skills will have to be added to the skill set of those people who work with these intelligent devices. As processes are increasingly controlled by software, the ability to correct / apply the software patches will be a required skill set that not everyone currently has. In my family I am the go to guy, the “help desk”. The maintenance worker will require more of what are considered IT skills today to be able to work in the world of the Internet of Things.
- The need to continuously replace devices. This one hurts me, I have been told that I am cheap and I hate to replace a device that is working. But even today some manufacturers are saying that the device needs to be replaced in order to get the latest security https://securityledger.com/2014/05/traffic-monitoring-tech-vulnerable-to-hacking/. So now we have end of life concerns not only for the actual physical device but for the software that runs and secures the device. I know trying to get budget for equipment upgrades is difficult, how about including replacement cost for equipment that is still working and doing the job. Do you think upper management will approve the request? Will this be part of the STO budget and process?
- An increased demand on manufactures of the devices that at least with their own devices, the latest patch will not cause a problem. This means that the manufacture will have to do full testing on every one of their supported devices when ever a patch / upgrade is released. Ideally I would like this concept apply to all the manufactures in my landscape. But I am not holding my breath on that one. I fell that it will still be up to the chemical company to ensure cross manufacture equipment compatibility.
On an individual company level some companies are all ready providing solutions http://www.thedrum.com/news/2015/02/03/bmw-patches-internet-things-security-flaw-stop-hackers-opening-car-doors. BMW applied the security patch when the vehicle first connects to the BMW Group server. It only effected 2.2m of the firm’s latest cars.