Michael Smith is the security chief technology officer, Asia Pacific & Japan, at Akamai, a company known for protecting websites, authoritative DNS, and its supporting infrastructure.
With 18 years of experience in the IT security and intelligence sector performing security design and engineering, information assurance, web development, and security testing, Smith discusses the role of the Internet of Things (IoT) and Operational Technology (OT) in today's technology landscape, particularly in Australia.
I think most people have a limited view of IoT or “Internet of Everything” (IoE) or “Operational Technology” (OT).
The first thing that comes to mind is personal technology, devices in our homes. We look at things like Wi-Fi connected water kettles and think that it’s absolutely silly.
But there is a different story about places where it does make sense to connect devices to a network.
The World Economic Forum has called IoT/OT the 4th industrial revolution because adding sensors and controller logic to regular production processes means a huge increase in output in most industries. We’ve been doing things similar to IoT for a while already.
Inside healthcare, there are a lot of diagnostic and imaging machines that feed information back into patient records. Industrial Control Systems (ICS) for water and power grid have a similar feel but maybe at a different scale.
Even inside of the physical security world, we’ve connected cameras to a digital video recorder (DVR) to store many days’ worth of video in case it’s needed as evidence in an investigation.
I recently attended the Cyber Threat Summit in Sydney and it was amazing to me how polemic IoT is right now.
On one hand, we have people who predict that the world will entirely change for the better in the next 5-10 years because of the increased productivity.
And on the other hand, there are lots of security people saying, “Why would you do this, it’s drastically insecure?”.
I take a more pragmatic view in that I realise that when you increase network connectivity you increase attack surface and increase risk, but the network also provides resources to manage that risk. We saw this with desktop computers when they started to get connected to Local Area Networks (LANs) without the appropriate security features.
As a result, we had several years of huge worm outbreaks until we figured out how to build patching servers, get patches rapidly deployed, push a security policy to the desktops, and reduce the level of trust in the local network.
I think we’re at a similar time now with IoT, where we don’t really have the security and management ecosystem that we have in other areas.
For every technology, the first generation is always built as a minimum viable product and that means it doesn’t have many security features. Generation 2 usually has the big security features and Generation 3 is where most the security issues are solved. We’re still going to have security incidents, but we’re constantly adding new technologies to minimise the frequency and impact of them.
Gartner predicts that there will be 20.4 billion ‘connected things’ by 2020.
This explosion of IoT devices represents a huge change in the number of network connections and the scale at which we have to protect devices.
At Akamai, we talk a lot about DDos attacks using IoT because of Mirai and other bots that were seen in late 2016 and early 2017, but they aren’t the only potential abuse of connected devices.
There are other attacks like poisoning DNS in home routers, eavesdropping on conversations and password sniffing. You don’t hear much about these, but they are possible and I expect them to be happening if they are not already.
There are also other risks with IoT such as privacy and worker displacement, but the biggest concern is in security.
If you look at the Mirai botnet, it was a combination of many factors: devices running as miniature Linux servers using the same operating system password and with remote login services enabled; Universal Plug and Play (uPnP) and its Simple Service Discovery Protocol (SSDP), enabled by default on home routers to open firewall holes and allow device services to be accessed over the internet; and Internet Service Providers (ISPs) that don’t block network connections going to their broadband users.
Akamai’s competitive edge is our global footprint, industry expertise, and deep subject knowledge - all delivered locally in Australia to an Australian market. We deliver websites for most countries and most industries ranging from government to e-commerce to financial services to high technology and news.
Locally, we support all the major Australian banks, e-commerce merchants, travel and hospitality companies and news outlets, as well several high-demand government websites.
We’re seeing attacks here that we’ve seen elsewhere around the world for many years, so by the time they start attacking our Australian customers, we have the necessary experience in detecting and blocking the attacks.
We’re constantly looking for ways to use our strengths to help our customers. One of the ways that we use that experience is what we’re doing with data.
We have a platform, called Cloud Security Intelligence (CSI), that we regularly feed attack data to. We’re one of the few companies that have a large enough customer base to sample attack data across the majority of the Internet.
Through CSI, we’ve created a client reputation database so that our customers can learn anonymously about attacks against our other customers.
For example, if we’ve seen this source IP address attack Customers A, B, and C when they come to Customer D, they’re most likely also malicious so we can block it on behalf of our customers. We’re also expanding our client reputation database to detect account takeover activity, fraud, and scrapers.
Overall, we’re in a great position to help Australia and as a result, we’ve seen our business double in the last two years. We’ve acquired new technologies and in many cases, we’re the fastest growing country across the region of Asia for the technologies we sell in, and in the world.
Last year, we added a scrubbing centre in Sydney so that our Australian customers could operate with our Prolexic solution with minimal latency for domestic users and as an always-on solution.
Our next step is in the direction of solutions for enterprises to manage their users and endpoints and we’re about ready to announce some initial offerings in this space.
That is a completely different approach for us, and in the next five years, we will be a significantly different vendor than what people are used to.
This interview is continued in part 2.