As counterintuitive as it may seem, computer viruses may be a good thing. Sure, getting a virus on your computer right when you need to do some critical task isn't good. But computer viruses may have an important role to play in the long-term quality and reliability — the "health" — of computers, communications systems and eventually all technology-enabled "things."
Just like their biological counterparts, computer viruses bring with them challenges, including the same range of risks from nuisance to death. Yes, computer viruses can cause death. If viruses infect life-critical (power, water, medical) or infrastructure-critical systems, both death of the computer system, and consequently of humans that rely on those systems is possible and likely to happen in future attacks.
As we expand computing into nearly every aspect of our lives and link these systems together with the Internet of Things (IoT), we are inadvertently building networks that facilitate the rapid spread of viruses and other malign software.
Virus origins
In the past, technological problems were limited to individual devices. In particular, computer viruses were limited to systems that the virus could be placed on or migrate to at the time of manufacturing. Historically, we call these "embedded systems." Such systems were — and in some cases still are — "embedded" in everything from microwaves and toys, to ovens, alarm systems, cars, airplanes, trains, etc.
Even before the coming IoT wave, we have increasingly networked devices to allow for easier maintenance, upgrades, new features and sharing of information. An outstanding contemporary example is the 2GIG alarm system.
This touchscreen home security and automation system is software-upgradeable (via a USB cable or over the air via a cellular interface). 2GIG's software-based alarm and automation panel allows the company to add new features over time. Weather updates and home automation have already been added. New features for home energy management are being delivered this year.
Whether it's home automation, building management systems, supervisory control and data acquisition (SCADA), your car or truck, or any new IoT enabled device or system, connectivity increases the value of data. Just as with our current use of the Internet, that connectivity brings with it the risks of viruses, malware, attacks and other vulnerabilities.
Each new form of connectivity brings risks. Hackers have created portable devices that use wireless bridge access to the controller area networks (CANs) used in vehicles (designed for maintenance). They can easily unlock a car (in seconds), enabling theft of the car or more likely contents within the car. Similar tools are emerging for Z-Wave, allowing easy unlocking of door locks now commonly being installed in homes.
Striking a balance
Approaches to vulnerabilities vary from denial (as we often find in the SCADA and BMS businesses) to more creative approaches. In the case of 2GIG, they have (so far) elected not to expose an Internet-enabled interface for consumers. Network-based services — such as monitoring, viewing images, remote control and weather updates — are all performed through specifically authorized and approved third parties that sell these services.
It's a delicate balance. On the one hand, having extended the alarm panel well beyond one-time programming as a dumb keypad opens the door to larger business opportunity, greater convenience for consumers, and more stickiness for dealers and alarm service (monitoring) providers. But 2GIG has also distances itself from the IoT and an even greater opportunity for growth beyond the "walled garden" approach.
We know, historically, that the "walled garden" approach can have benefits during the early adopter phase. AOL's walled garden provided parental controls, security and organization of online content that was useful to introduce the Internet to mass adoption. But, as we know from IBM, AOL, Microsoft, Apple, etc., keeping the walls too high or for too long can hurt the relationship with consumers, distribution partners and other market participants.
The day will come when viruses and other malignant counterparts will take out your heat on a cold winter day, melt your ice cream in the freezer, burn your food in the microwave or lock you out of your own house. These are not possibilities, they are certainties. Not for you as an individual, but in general, these things are going to happen.
These kinds of events will become as commonplace as other crimes. And like other crimes, many will go unsolved. Most will be a nuisance, some will be personal and hurtful or injurious, most will cause financial damages, and some will cause far greater personal injury or death to individuals, households, businesses or entire communities.
Finding the good
How can any good come from this? Like their biological counterparts, infections are generally a bad thing, but the unintended side effects may be helpful. The most obvious is that infections reveal vulnerabilities. The degree to which we can see the vulnerabilities, may help us learn lessons to improve our defenses.
Over time we will gain experience. That experience will be translated into systems and methods for defending our devices and systems — an immune system, if you will. We may learn to avoid certain things that are regularly problematic. Our systems will also learn to avoid certain pitfalls.
The defensive mechanisms that we already use are modeled after biological systems. For example, many current defenses are based on the location from which an action occurs. When signals in a network come from outside of a network, they are subjected to scrutiny. But within a network they are often assumed to be trusted.
This can lead to vulnerabilities such as viruses that don't transit into a network, but originate from within a network. Infiltration mechanisms, again like their biological counterparts, can be based on spoofs (this is common among biological pathogens), portable media or piggybacked on other legitimate software or signals. Future innovations are likely to improve upon these defenses with even closer similarity to biological defenses.
Future possibilities
As with their biological counterparts, every protection mechanism can be met with a new offense. If you design a system that is "foolproof" to never turn off the heat while you are home, you've created a means for hackers to turn on the heat without getting access to your heating system. They need only convince your system that you are home by spoofing inputs such as motion detectors or identity mechanisms.
Imagine the possibilities for "good" IoT, BMS and SCADA viruses:
- A "crazy green programmer" who writes a virus that covertly infects HVAC systems and controllers (like the NEST controller or a Z-Wave controlled thermostat) secretly lowering the heat in the winter or raising the temperature in the summer to reduce energy consumption and carbon emissions (and thereby reducing your expenses as well).
- A telecommunications service provider writes a virus that reroutes voice or data services over their (lower-cost) infrastructure in place of the voice or data service operator you have defaulted to or selected.
- An online music service covertly scans your computer to identify music you own and sets up a cloud service with your music collection, offering you free online access to your music collection (in the hopes of earning your business for future purchases).
- A retail fuel service (oil or propane for example) covertly identifies that your tank is low and dispatches a delivery driver who preemptively shows up at your doorstep offering to fill your tank at a cost lower than your current or usual service company.
- A light bulb manufacturer writes a virus that finds light bulbs they've manufactured and turns off power to the bulbs when it detects that there is no one in a room. They do this to increase the average life of the bulb so they can market the longest life bulbs in the industry.
Of course, it is possible to imagine many viruses (and other software including malware) that have no benign effects or side effects.
For any imaginable agenda, there are possible viruses and malware that could directly or indirectly serve those interests. Although many of the consequences of their biological counterparts have been discovered, computer viruses differ only in the degree to which they are engineered or designed to achieve specific ends. But it is the unintended consequences that are likely to be both the most challenging and potentially the most beneficial.
Changing our approach
We are going to need to evolve our thinking from a purely defensive stance to a more creative and adaptive model that automatically examines and potentially reacts to anomalies rather than monitoring every possible packet or data communications.
Imagine if our bodies had to inspect every molecule we breathed, ate, drank or touched. Well, that's the analogy of what most computer and telecom security (firewalls) do. They "inspect" every packet or byte that passed by or is placed on a system.
The likely scale of IoT is far larger than all of the traffic on the Internet (and within our homes and businesses) today. Brute force security will have its place, but will always be limited to what we know and expect. It is also limited in scale. Brute force simply cannot keep up with the volume of data (as with the human biology analogy).
If we shift to models used in biology that detect anomalies and are adaptive, such systems may not only react faster to threats, but also are likely to find more viruses and adaptations to deal with them. These may have beneficial effects that strengthen the security, reliability and utility of technology that we rely on for health, safety and welfare.