Systems that help run the Internet of Things may need a fixed life expectancy, says In-Q-Tel's security chief CAMBRIDGE, Mass. — Among the number of provocative points that Dan Geer, the CISO of In-Q-Tel, makes about embedded systems and supply chain risk, one stands out: The systems are immortal.They are immortal in the sense that they can continue to function for years at an assigned task. “The longer lived these devices,” said Geer, “the surer it will be that they will be hijacked within their lifetime.” “Their manufacturers may die before they do — a kind of unwanted legacy much akin to superfund sites and space junk,” said Geer. So something has to be done. Geer raises the argument that embedded systems without a remote management interface “and thus out of reach, are a life form,” and “as the purpose of life is to end, an embedded system without a remote management interface must be so designed to be certain to die no later than some fixed time.” “Conversely, an embedded system with a remote management interface must be sufficiently self-protecting that it is capable of refusing a command,” said Geer, speaking at The Security of Things Forum held here Wednesday. The event is organized by The Security Ledger. “Inevitable death and purposeful resistance are two aspects of a human condition that I think we need to replicate” in these systems, said Geer. In-Q-Tel is the U.S. intelligence community’s venture funding operation. It searches out start-ups with technologies that may help with national defense. Geer said he was speaking for himself at the forum.The uses of embedded systems are multiplying, thanks in part to the Internet of Things (IoT). Creating IoT-enabled devices involves taking either existing or new machinery of any type and equipping it with sensors, connectivity and some computing capability for a predefined task — an embedded system. But IoT devices are also designed to communicate with other machines. Thus, the risk isn’t isolated. “As society becomes more technologic, even the mundane comes to depend on distant digital perfection,” said Geer. In terms of being more technologic, Geer points to the food pipeline, which he said has less than a week’s supply in it. But everything in that pipeline depends on digital services, from GPS-driven tractors, irrigation systems, robotic vegetable sorting and RFID-tagged livestock as well as supply chain logistics.Is all this technological dependency, said Geer, “making us more resilient or more fragile?” An embedded system has a dedicated task and may be paired with an application-specific integrated circuit, and hardwired to do something specific. But it can also be paired with a more general purpose processor. It may include sensors and wireless radio. An embedded system may run machinery in any industry imaginable, as well as in public utilities. Its use is expanding as device makers seek to connect and control a wide variety of things. The risk is that embedded systems are also part of technological monoculture. At one point that was Windows, but now the risk is in the smaller devices, Geer said. “That combination, long-lived and not reachable, is the trend that must be dealt with and possibly even reversed,” he said. “Whether to insist that embedded devices self-destruct by some predictable age or that remote management of them be a condition of deployment, is the question,” said Geer. He called it a national policy issue. “In either case, the Internet of things, which is to say the appearance of network connected micro-controllers in seemingly any device that has a power cord or a fuel tank, should raise hackles on every neck given our current posture,” said Geer. At a separate panel, Stacy Cannady, who specializes in hardware security at Cisco, talked about IoT devices and listed some of the problems that need to be addressed. Among those issues is the unique identity of devices. Is there a way to establish some knowledge of the software and its configuration, and whether it can be trusted?, she asked. “We have a very basic set of problems to solve on a very large scale,” Cannady said. Patrick Thibodeau covers cloud computing and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at @DCgov or subscribe to Patrick’s RSS feed . His e-mail address is pthibodeau@computerworld.com.See more by Patrick Thibodeau on Computerworld.com. Related content news analysis Apple earnings: About that iPhone 'slump' in China Based on information from Thursday's earnings report, it seems that data pointing to an iPhone slump in China were over-baked. By Jonny Evans May 03, 2024 9 mins iMac iPhone Apple news Microsoft begins to phase out ‘classic’ Teams Microsoft is encouraging Teams customers to move to the new, faster version of the collaboration app; the older version will be switched off next year. By Matthew Finnegan May 03, 2024 3 mins Microsoft Teams Collaboration Software Productivity Software news analysis Apple confirms it will open up the iPad in Europe this fall The latest efforts to comply with Europe’s Digital Markets Act mean developers can offer to side load apps to both iPhones and iPads in the EU. Apple has also taken steps to improve what it offers to smaller and non-commercial developers in the By Jonny Evans May 02, 2024 6 mins iPad Apple Mobile Apps news Udacity offers laid-off US workers free access to its courses for 30 days Sign-ups will be available over the next 30 days By Lucas Mearian May 02, 2024 4 mins Technology Industry IT Jobs IT Skills Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe