Embedded systems are a 'life form'
Systems that help run the Internet of Things may need a fixed life expectancy, says In-Q-Tel's security chief
Computerworld - CAMBRIDGE, Mass. -- Among the number of provocative points that Dan Geer, the CISO of In-Q-Tel, makes about embedded systems and supply chain risk, one stands out: The systems are immortal.
They are immortal in the sense that they can continue to function for years at an assigned task. "The longer lived these devices," said Geer, "the surer it will be that they will be hijacked within their lifetime."
"Their manufacturers may die before they do -- a kind of unwanted legacy much akin to superfund sites and space junk," said Geer. So something has to be done.
Geer raises the argument that embedded systems without a remote management interface "and thus out of reach, are a life form," and "as the purpose of life is to end, an embedded system without a remote management interface must be so designed to be certain to die no later than some fixed time."
"Conversely, an embedded system with a remote management interface must be sufficiently self-protecting that it is capable of refusing a command," said Geer, speaking at The Security of Things Forum held here Wednesday. The event is organized by The Security Ledger.
"Inevitable death and purposeful resistance are two aspects of a human condition that I think we need to replicate" in these systems, said Geer.
In-Q-Tel is the U.S. intelligence community's venture funding operation. It searches out start-ups with technologies that may help with national defense. Geer said he was speaking for himself at the forum.
The uses of embedded systems are multiplying, thanks in part to the Internet of Things (IoT). Creating IoT-enabled devices involves taking either existing or new machinery of any type and equipping it with sensors, connectivity and some computing capability for a predefined task -- an embedded system. But IoT devices are also designed to communicate with other machines. Thus, the risk isn't isolated.
"As society becomes more technologic, even the mundane comes to depend on distant digital perfection," said Geer.
In terms of being more technologic, Geer points to the food pipeline, which he said has less than a week's supply in it. But everything in that pipeline depends on digital services, from GPS-driven tractors, irrigation systems, robotic vegetable sorting and RFID-tagged livestock as well as supply chain logistics.
Is all this technological dependency, said Geer, "making us more resilient or more fragile?"
An embedded system has a dedicated task and may be paired with an application-specific integrated circuit, and hardwired to do something specific. But it can also be paired with a more general purpose processor. It may include sensors and wireless radio. An embedded system may run machinery in any industry imaginable, as well as in public utilities. Its use is expanding as device makers seek to connect and control a wide variety of things.
The risk is that embedded systems are also part of technological monoculture. At one point that was Windows, but now the risk is in the smaller devices, Geer said.
"That combination, long-lived and not reachable, is the trend that must be dealt with and possibly even reversed," he said.
"Whether to insist that embedded devices self-destruct by some predictable age or that remote management of them be a condition of deployment, is the question," said Geer.
He called it a national policy issue.
"In either case, the Internet of things, which is to say the appearance of network connected micro-controllers in seemingly any device that has a power cord or a fuel tank, should raise hackles on every neck given our current posture," said Geer.
At a separate panel, Stacy Cannady, who specializes in hardware security at Cisco, talked about IoT devices and listed some of the problems that need to be addressed. Among those issues is the unique identity of devices. Is there a way to establish some knowledge of the software and its configuration, and whether it can be trusted?, she asked.
"We have a very basic set of problems to solve on a very large scale," Cannady said.
Patrick Thibodeau covers cloud computing and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at @DCgov or subscribe to Patrick's RSS feed . His e-mail address is firstname.lastname@example.org.
- Microsoft backs open source for the Internet of Things
- Microsoft joins AllSeen Alliance, the Qualcomm-led IoT project
- The Internet of Things at home: Why we should pay attention
- The Internet of Things at home: 14 smart products compared
- Google's move into home automation means even less privacy
- It's time to get moving on IPv6 rollout
- A new industrial age is being built on sensors, 3D printing and the cloud
- Could robots walk on stage at Google I/O?
- The Internet of Things figures into this IT leader's five-year plan
- Microsoft, insurer, may make home automation inexpensive -- even free
Read more about Internet in Computerworld's Internet Topic Center.
- Social Media Education: The New Edge for Success Failure to train for social media will cost your business money. A recent report showed how digitally prepared companies can unlock up to...
- Social Media in Technology: A Unified Strategy for Success Find out how social media is sparking a new era of customer and industry-understanding in technology enterprises and how industry leaders are overcoming...
- Printer Installer: Eliminating Print Servers Printer Installer is an on-premise web application that enables you to centrally manage and deploy Windows shared or direct iP printers.
- How Network Connections Drive Web Application Performance Users around the globe, on all sorts of devices, expect Web applications to function as seamlessly as desktop applications. This paper discusses the...
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!