William Jackson | How secure is an all-IP networked world?
Cybereye ' commentary
- By William Jackson
- May 12, 2008
It often is difficult to use the same Internet Protocols intended for larger, more managed environments in networks that tend to lose a lot of data and drop packets. So the Internet Engineering Task Force (IETF) has established a working group to establish IP routing standards for low-powered and lossy networks.
'We already have a body of routing protocols' designed for different environments, such as backbones and local-area networks, said David Culler, chief technology officer at Arch Rock, of San Francisco, and co-chairman of the working group. The group will address embedded systems with limited power, memory and processing resources. 'The needs of these are very different from the backbone, but they have to work together.'
On hearing of this effort, I immediately thought, 'What about security?' Do we really want to make it easier to remotely access networks that control manufacturing processes, building systems and municipal services?
Apparently, I am not alone in this concern. 'I think the idea of connecting all electronic devices to a single network is dangerous,' one reader wrote. 'In fact, there is little or no reason for the lighting system in my building at work to talk to, and be controlled by, a person looking for recipes for lemon tarts.' The real danger is that critical services, such as a runway lighting system, could be hacked by anyone who could get access to the wireless sensor controlling it.
This is a legitimate concern. The interoperability and ubiquity that in only a handful of years have made the Internet such a powerful and valuable resource have also made it a playground ' originally for imaginative and mischievous hackers, now for organized criminals and tomorrow maybe for terrorists. Do we want to invite them into our control and data acquisition systems?
As with many security questions, there is no simple yes-or-no answer. It will depend in each case on the trade-off between functionality and security. But it is important to remember that IP is not necessarily a welcome mat for hackers, and proprietary systems are not inherently isolated and secure.
Culler said IETF requires its standards to address a set of security issues. IP security has proved to be less than perfect when it is not built into the standards from the beginning, but there is no reason why adequate security cannot be built into an IP standard if the issue is addressed from the beginning. At the same time, the robust set of security tools, including antivirus, firewalls, and intrusion detection and prevention systems, developed for the IP world do not work with proprietary protocols used in many embedded networks.
Isolating these embedded networks sounds like a good idea, but to use any network you must access it somehow. Many of these systems already are connected to IP networks through protocol translation gateways and proxies, and these devices often are running common operating systems that are themselves vulnerable to exploitation. Using a simple router could make it easier to connect with these networks securely.
Using IP on a network does not automatically make it accessible from the Internet, although in reality the odds are good that somewhere there will be a path to the Internet. And keep in mind that in this environment of increasingly targeted attacks, running a proprietary protocol is not necessarily a good defense.
All of this being said, it remains true that a uniform environment presents risks that must be taken into account if administrators consider bringing data acquisition and control networks into the IP universe. How critical is the network? What are the benefits of making it IP accessible? Can it be patched and upgraded without interrupting operations? Can it be adequately secured and isolated?
Industry-standard and proprietary protocols are not going to disappear for special uses, but having an option for expanding open-standard IP to new environments is not a bad idea.
William Jackson is a Maryland-based freelance writer.