301.519.9237 exdirector@nesaus.org

1.22.19 – SIW –  Ray Bernard, PSP, CHS-III

The Internet has evolved into much more than the information superhighway it was originally conceived to be.

Editor’s note: This is the 37th article in the “Real Words or Buzzwords?” series from SecurityInfoWatch contributor Ray Bernard about how real words can become empty words and stifle technology progress.

The Internet was originally conceived of as the “information superhighway,” a means for information to be shared globally. It was thought to be both the backbone and the nerve center of Cyberspace, which manifested itself on the screens of our late 90s personal computers and laptops. Cyberspace was the name given to the notional (i.e. existing as an idea rather than something physically real) environment that was the sum of the shared “mind spaces” of the people connected via the Internet. People would log into Cyberspace and interact there, forgetting for the moment about the physical world around them.

The World Wide Web was introduced to the general public in August of 1991, and a year later there were 130 websites. In 1994 there were 2,738; in 1995, 23,500 websites; and by 1996 over 100,000. By 2008 there were over 162 million, and now at the start of 2019 there are over 1.8 billion websites. However, many of those are just “parked” website domains, no longer updated but kept online for historical purposes or held as future investments, like empty real estate lots that speculators have bought, hoping someone will want to buy the website domain name from them.

Netcraft estimates that there are 172 million active sites (those that get regular changes). Less then one million of those sites account for 50 percent of web traffic. See the interactive Internet Map, which is an interactive 2011 snapshot of 350,000 websites that lets you zoom in and out to see the relative sizes of the largest websites. Figure 1 below is a screenshot of one view of it.

Figure 1. The interactive Internet map.

Now, however, the Internet has evolved substantially beyond the Cyberspace concept, and includes connected people and things. By connected people, I don’t just mean smartphone users. For example, there are several approved body-worn technologies for measuring blood glucose level – you may have seen one advertised on TV. These monitor blood sugar levels and send the data to a smartphone or other receiver. Such devices  provide a continuous connection that is unrelated to social media or “going online” activity.

Automakers have been considering how and to what extent to enable autonomous “conversations” between vehicles on behalf of their owners, as well as for the sake of traffic safety and optimizing roadway usage. Safety of people and things is a big issue, and this is part of what drives device and people connectivity in many industries.

Where once there was a clear distinction between Cyberspace and our physical world, today much of our physical world and the people in it are controlled and influenced by what happens in and via Cyberspace. Cyberspace isn’t just a cyber thing anymore. We need a new name for it.

The Internet+

Internationally renowned security technologist Bruce Schneier has coined the term “Internet+” in his recently released book, Click Here to Kill Everybody. This is not to be confused with the Chinese government’s initiative launched in 2015 called Internet Plus (Chinese: 互联网+). That’s a separate subject and outside the scope of this article.

In a September 2018 interview with MIT Review, Schneier said, “I hated having to create another buzzword, because there are already too many of them. But the internet of things is too narrow. It refers to the connected appliances, thermostats, and other gadgets. That’s just a part of what we’re talking about here. It’s really the internet of things plus the computers plus the services plus the large databases being built plus the internet companies plus us. I just shortened all this to ‘Internet+’.”

Schneier further explained, “We’re already intimately tied to devices like our phones, which we look at many times a day, and search engines, which are kind of like our online brains. Our power system, our transportation network, our communications systems, are all on the internet. If it goes down, to a very real extent society grinds to a halt, because we’re so dependent on it at every level. Computers aren’t yet widely embedded in our bodies, but they’re deeply embedded in our lives.”

The key word in Schneier’s last sentence is “yet”.

Cybersecurity for Built Environments

Even more relevant to the physical security industry are the smart cities and smart buildings initiatives, which dramatically improve these built environments but also introduce levels of risk on a scale that we’ve never seen before. Think of what could happen in any smart city, where outdoor video cameras are used as sensors in the roadway traffic management system. What if a hacker halted traffic for just 15 minutes by turning all traffic lights red? Are the traffic management systems designed to recover from such a scenario? That’s doubtful. What would be the impact on police and emergency medical services? And although this scenario’s impact would itself be catastrophic, there are much worse scenarios to consider.

IoT devices and systems are not designed or deployed to the level of security that’s really required. There are no security standards or reference designs established. Vivotek, for example, has cameras and NVRs that ship with TrendMicro’s IoT security software installed. This is an excellent step for device security but is by no means the only thing needed. The physical security industry overall still has a long way to go. Twenty years after putting physical access and video systems onto networks, only a couple dozen companies provide product hardening guides or cybersecurity guidance.

Understanding Our Roles and Responsibilities in the Security Industry

Two books are required reading for manufacturers and service providers in physical security. The first I have already mentioned, Click Here to Kill Everybody. The second is another Schneier book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Chapter 16 is titled, “Negotiating for Security.” That chapter alone is worth the price of the book. Chapter 3 is titled, “Security Trade-offs Depend on Power and Agenda.” I give Schneier a lot of credit for being brave enough and astute enough to write in a helpful way about a dimension of security—organizational politics—that all security practitioners experience, but few talk about.

Here is the first paragraph in Chapter 3: “Most security decisions are complicated, involving multiple players with their own subjective assessments of security. Moreover, each of these players also has his own agenda, often having nothing to do with security, and some amount of power in relation to the other players. In analyzing any security situation, we need to assess these agendas and power relationships. The question isn’t which system provides the optimal security trade-offs—rather, it’s which system provides the optimal security trade-offs for which players.” Wait until you see what the rest of the chapter says.

I periodically re-read both books, as a periodic reading always brings new insights and actionable ideas. Amazon provides Kindle Book versions for both.

These days there is a lot of discussion within the physical security industry about cybersecurity for devices and systems, but much less discussion about our roles and responsibilities relating to cybersecurity. This is a topic of discussion within the ASIS Information Technology Security Council, and I expect you’ll see council educational materials along that line both in upcoming documents and in educational sessions at GSX 2019. In the meantime, read these two books and put your self in a better position to do something about our industry’s situation.

The Cyber-Physical World

The physical world we live in is now a cyber-physical world. And there is no going back. This is a subject that I’ll be writing much more about soon. As that material is published, I’ll come back to this article to provide links to insightful perspectives on the risks related to cyber-physical systems and Industrial IoT – the technologies that are cyber-activating the physical world we live in.

About the Author:

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.