The Internet of things (IoT) is just a series of smart home appliances, right? Getting them connected to the network is simple and just gives me a little extra control over setting the temperature of the house or controlling lights with my voice. Except the consumer use of IoT devices is dwarfed by the industrial and commercial use of them.
Think for a moment about all of the devices that you interact with on a daily basis but don’t realize how connected they are. Things like smart electric meters at your house. Or a network-enabled water meter. It could even be as complex as intelligent street lights or even the myriad of devices that exist in a modern hospital. Every medication machine or monitoring device that is hooked up to a patient is reporting something back to a system about the status of the patient. Modern technology has enabled us to have more accurate data about everything these devices monitor.
But what about the devices themselves? How can we ensure that we’re keeping up with everything the way that we should? Worse yet, how do we ensure that the things that are done to those devices are recorded and saved in perpetuity just in case we need to pull up that information in the future? And how do we do that for IoT devices that aren’t the easiest to access?
Truth In Things
During the 2020 RSA Conference, I had a few moments to stop and talk to the folks at Jitsuin about some of these challenges. They have a unique perspective on the market and how to address the concerns of keeping the IoT market secured. They apply methods of building digital twins for IoT devices and use those as a baseline for securing them and building out an infrastructure that ensures the cybersecurity supply chain.
They hooked me with a very interesting idea when I first started talking to them. When I think of IoT devices, I tend to think of stuff in the healthcare market. These are some of the most complicated devices out there with some of the most stringent regulation there is. And yet I was still not quite getting the whole picture, as Jitsuin pointed out. What about a pacemaker? These devices are simple enough in theory, as referenced at the linked Wikipedia article. But modern pacemakers contain a wealth of data that can be given to systems and interpreted. They can use Bluetooth to offload control data to a mobile app that allows for fine-tuned control.
However, as we all know, introducing a connectivity option to a device means you’ve increased the attack surface of that device. And unlike the network connection on my clothes dryer or my lightbulbs, there are some severe consequences for a pacemaker outage. Could you imagine the chaos that could ensue if someone were to craft a Bluetooth exploit for a pacemaker? All you would have to do is walk by someone and you could give them a heart attack!
Jitsuin helps you figure out the difficult process of testing these devices and ensuring they are updated and secured against these issues. By building a digital twin of the pacemaker, they can test patches for the devices without needing to pull every individual one there is. The digital twin acts just like the physical device. And in order to ensure that nothing has happened to the physical twin, Jitsuin has a tool called Archivist that can verify all of the statuses of the device. Archivist can report on vulnerabilities, updates, and even when the device was restarted. You’d definitely want to know if your pacemaker restarts!
Archivist is also a crucial part of regulation. Use of modern ledger technology means that Jitsuin has a permanent, immutable record of all of the actions performed on a device. That’s the kind of audit trail that makes regulators salivate. Now there’s no question about when an update was performed. There’s no need to worry about whether or not an update was performed or a bug was closed. With Jitsuin Archivist, you can see exactly what was done when and by whom. That ensures that you can prove what you need to prove when the time comes to do it.
Bringing It All Together
The world of IoT security is brave mostly because the idea of trying to keep up with billions of new devices is a logistical nightmare. We need to have tools and platforms that allow us to rapidly contain the possibility that devices could be exploited and reprogrammed before we can get them updated to avoid these outcomes. Companies like Jitsuin see the potential in using new technology and methods to make this all happen. Archivist allows you to have irrefutable evidence of what happened and when it occurred. You can take that information as the stone-cold truth whenever anyone asks. And that kind of reliability is the foundation for a strong IoT strategy.
