Friday, May 19, 2017

Lessons from the Global Ransomware Attack, Part 6

Government guidelines and regulations have an important role to play in ensuring the safety and security of our computer systems.  That is particularly true for two classes of devices: IoT and industrial control. <p>
IoT devices are intended to be installed and used by non-experts with little or no setup.   Unfortunately, many manufacturers have tried to fulfill this goal by either not providing security features or by setting their defaults to little-to-no security.  Consumer protection mechanisms can be used to set minimum security standards for IoT devices.  IoT security can directly affect consumer safety if, for example, a hijacked device is used to enable a burglary.  IoT security also indirectly affects consumer safety given that IoT devices are easily hijacked for use in attacks on other structures.<p>
Industrial control systems are run by people whose responsibility is making stuff, not configuring secure computer systems.  A variety of regulatory mechanisms exist to manage safety of industrial systems.  We have already seen NIST promulgate guidelines for smart grid security; we could use similar efforts in other domains.<p>
Various agencies in the U. S. and Europe have made progress on guidelines for security of various types of computer systems.  But I think that a more unified effort that cuts across application areas will also be required.  While each application has its own characteristics, many CPS safety and security techniques are widely applicable.  Issuing separate standards across multiple domains results in wasted motion that could be used more effectively.  Stovepiped standards also could lead to less-than-best-practices being used in some domains.<p>
This will be my last post in this Lessons series.  But that doesn't mean the problems have been solved.  We all have a lot of work to do to ensure the promise of a computerized world.

No comments:

Post a Comment