Why predictable cyber security practices are less secure

bad-cyber-security-practices

Have you ever tried to catch a fish with your bare hands? I have, and it is nearly impossible. By the time your hands enter the water, the fish has already moved away. What makes this near instantaneous reaction possible is the fish’s escape response.  When a fish detects a predator approaching, it does a quick risk assessment. If the risk crosses a threshold, then a canned special escape mechanism called “C Start” is triggered. “C start” is extremely quick. However, it is also predictable. This predictability enables some predators to “hack” the fish’s escape. This hack is most notable in tentacled water snakes from Southeast Asia. The snake uses its body to startle the fish. Then, instead of tracking the fish’s movement, the snake strikes where it anticipates the fish’s head will be. Needless to say, because the fish’s reaction is so predictable, the snake almost never misses.

Nature also uses some more complex escape strategies. Research on mammals indicates that the prey animal’s reaction depends not only on the presence of the predator, but also on the distance and speed of the predator’s approach. If the predator is approaching very fast and is already very close, the animal will use a default technique to escape — essentially, it will run as fast as possible. However, if the predator is further away, then the prey’s reaction is more considered and varied. Under these conditions,  animals rarely use their maximum speed and rely instead on suddenly changing direction to evade capture.

Complex threat response

All this is interesting, but what does this have to do with technology? As with wildlife, isolated security mechanisms, however effective, are inherently insecure as they become predictable. Their predictability makes it possible for people to “hack” the security.

Layered security, on the other hand, is like a complex threat response. It introduces unpredictability that makes it much harder to subvert the system.

Hollywood for one, has made numerous movies that hinge on this flaw. You often see the heist being made possible (Mission: Impossible, Ocean’s 11, 12 . . . and so on) by first triggering a security response and then hacking the response. In Mission: Impossible – Fallout, for example, the heroes  block city streets to divert the target to a deserted route where they can ambush it.

Unlike other domains like web, smartphones and desktop where security has been evolving for decades, the internet of things (IoT) is relatively new, with few standardized security protocols. It is easy for an IoT device manufacturer to settle for securing the device using a relatively predictable mechanism that may be extremely effective in a different domain. However, this security mechanism may not safeguard IoT due to new vulnerabilities introduced by how these devices are manufactured, installed, operated and decommissioned.

Enterprise-cyber-security-levelsAt the same time, IoT devices, including operational technology (OT) systems that manage the industrial Internet of Things (IIoT), hold phenomenal potential to increase efficiency and transform industries. Avoiding the IoT revolution due to its potential risks would be like “throwing out the baby with the bath water.” In order to stay competitive, we need to constantly evolve and adopt new technologies like IoT while protecting ourselves from any potential risks.

Here are three ways to decrease the predictability and increase the security of IoT devices:

  • Device manufacturers need to accept that just like traditional software, IoT devices have and will continue to have security vulnerabilities that require constant vigilance and enhancement. Even IoT devices that perform simple and isolated tasks like controlling the air conditioner in an office or the entertainment system in a car can become a threat vector if not properly secured. IoT devices need a layered security model where the security does not rely on a single mechanism, but on an ecosystem of security mechanisms that come together to secure the device throughout its lifecycle.
  • When deploying IoT devices, we need to be cognizant of their unproven security and make provisions for potential security breaches. This means treating the IoT devices as insecure. This should include, but not be limited to, network isolation, message encryption, message signing, device certificates and physical security.
  • Industry bodies need to evolve and drive adoption of security protocols and practices specific to IoT devices. Ability to test and prove IoT devices and their management process against an established standard will give industries the confidence to accelerate the adoption of IoT in their core business.

New security threats are constantly evolving. It is impossible to build a system that is immune to all current and future threats, but it is crucial for organizations to assess vulnerabilities across both IT and OT systems. Even in nature, despite the unpredictability and complexity of response of prey animals, the predators eventually do succeed.  However, the victim tends to be the weakest and slowest animal of the herd. To survive, the animals do not need to outrun the predator, they merely need to outrun someone else in the herd. Similarly, security does not need to be perfect, it just needs to be better than average. This will ensure that we are not the most convenient target for hackers. Layered security that keeps potential hackers off guard will go a long way toward outrunning and outsmarting threats.


Amitabh Mathur is a technology enthusiast who brings together the curiosity of a child with the knowledge and experience of someone who has spent way too much time in the IT industry. Finding new ways to apply a mix of technology, science and process-based approaches to a problem is what keeps him excited. He started his career as an entrepreneur in India, developing diverse solutions like voter ID cards, Indian Language support and interactive voice response. Over the years, he has worked in various industries (finance, healthcare, education and government) and countries (India, USA and New Zealand).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: