Coffee with the Council Podcast: Internet of Things Security in Payment Environments

Welcome to our podcast series, Coffee with the Council. I’m Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. Recently, our organization teamed up with the Consumer Technology Association to issue a joint bulletin on a very important topic, security surrounding the Internet of Things, or IoT. Joining me today for this episode are Andrew Jamieson, Vice President of Solution Standards at PCI Security Standards Council, and Mike Bergman, Vice President of Technology and Standards at the Consumer Technology Association. Welcome!

Mike Bergman: Thank you, it’s a pleasure to be here.

Andrew Jamieson: Thank you, very happy to talk.

Alicia Malone: So, the Internet of Things is an interesting topic because more often now we see it becoming a major part of our modern daily lives. So, when we talk about IoT, we’re really talking about smart appliances or devices, right? Everything from a refrigerator or toaster to security cameras, and home heating and cooling systems. Everything is becoming smart these days. So, let’s start by talking a little about why the two of you teamed up to draft this joint bulletin on the importance of securing these devices. And, Mike, we can start with you.

Mike Bergman: Great, yeah, thank you. I have to say, it’s almost trite now to say that everything is connected. I think we’ve all understood that for a while, but the extent sometimes, we kind of miss it. It’s everything: industrial control systems, security cameras, consumer printers, thermostats, farm tractors. Almost nothing is being left out of this picture. Pills that you can swallow. It’s amazing. One of the driving forces for the 5G mobile broadband system was to increase the connectivity so that even more devices can be connected. And when you have inexpensive, low cost, low power 5G connectivity available for individual devices, now you’ll see even more things getting connected. So really, it kind of behooves us to look at what risks we’re introducing with this massive connectivity of our environment.

Andrew Jamieson: Yeah, I think that’s a really good point. From the point of view from why we have approached this is exactly about that: the fact that you have all of these different devices that are connected, and increasingly, they’re becoming part of corporate networks, as well as home. I mean, we tend to often think of IoT as a home thing, you know. Your connected toaster is an example or a connected television. As you say, it’s thermostats, it’s access control systems, monitors or televisions that are used in board rooms and so forth in networks. These are things that are being deployed and can have an impact on the security of the network.

And so, it behooves us to think about it not only from a consumer point of view, but from the point of view of, you know, if we’re deploying these things, we’re having these things being deployed into networks, how does that effect the security of the overlying network? And from, you know, the Council’s point of view, how does that effect the security of your cardholder data environment, systems that may provide security to your cardholder data environment? That’s certainly something we’re concerned about. That evolution from things that are novel to ubiquity is, you know, a path that we’re well along the road on, and we need to think about these things – not that it comes too late – but before it becomes too much of an issue we need to address at that point.

Mike Bergman: That’s very true, Andrew. And one of the things about this partnership has been my organization, the Consumer Technology Association, has been working in general connected device security topics, whereas you folks are the specialists and the experts in the payment card and payment systems world. And so, it’s been gratifying to, you know, sort of like bring ours to the table, but also learn from what you guys know and understand a little bit more about your part of the world, so that we can build a better product together.

Andrew Jamieson: Exactly right. I think it does come down to that expertise in core areas. You guys and the people you use for your consensus standards, they’re experts when it comes to these devices, you know, these IoT systems, and, you know, we’ve got the experience with payments. I think it’s a great match.

Alicia Malone: Mike, since you are all about consumer technology, can you give us a little background and understanding of IoT devices? How have they evolved over time? And what can you tell us about how secure consumers are in using them?

Mike Bergman: Absolutely. We’ve been connecting things up since the early ’90s. The first example of a connected device was a toaster. I remember this going by – I’ve been in the industry long enough to see this. And it was a project where someone wanted to demonstrate an internet protocol and how powerful this internet protocol was, and how it could actually go out there and tell something to do something. And so, they connected up this toaster for a paper that they presented as shown. And everybody was very amused, Oh look, hey, he’s got a toaster that’s connected to the internet. I believe the following year, they connected up the restrooms in their building for that particular company to show from an app, you could see whether or not the restroom is occupied.

And this was all very amusing at the time. And well, we’re around 10 years later. We had RFID devices – radio frequency identification devices – of objects. So, you know, you see this now as very, very common that you have some chip in a product or even a pet that can be remotely identified. And at that time, the connection of things to the internet triggered this idea of the Internet of Things. So, 1999 is when we first started saying Internet of Things. Ten years after that, there were less than two connected devices per person. That’s about 2010 now. That’s a Cisco statistic.

But now we’ve seen this evolution as the cost of connecting things has come down, as the ease of connecting things has gone up, everything is connected. As I mentioned in the beginning of this talk, ink jet printers are a great example. You can access your ink jet printer from your laptop. Well, it’s actually on the internet and on your home network simultaneously in most configurations. Your robotic vacuum cleaner, your video doorbell, fitness trackers connect up to the internet through the smart phone. Phones are connected to the internet. We’ve gone from two connected devices per person in 2010. If you look across it globally, it doesn’t sound like a lot more, but if you look at the North American market, I believe the number is something like 20 connected devices per person. If you just walk around your house and think about what’s connected, your smart TV, again, your printer, your phone, the router, any kind of security system you have, all of these things are connected.

Now, this evolution of connectivity came about in part because of Linux. Linux is the open-source operating system created by Linus Torvalds, and because it’s so easy to use and it includes a complete internet stack, it’s easy to integrate a Linux Kernel on your hardware product. Most moderately powered processor chip sets come with a reference package that includes a Linux implementation. And then you can drop an application like a security camera application on top of that Linux operating system, and you’ve got a product. The reality is that you can start with a reference board from a company like Intel or one of the ARM producers, and go from there, pull down a Linux operating system from the manufacturer, from the reference website, and have that up and running in about, oh I don’t know, five minutes. And then go out on GitHub, the open-source software repository, and get an application that runs on Linux and drop that onto the same board. I mean, literally in less than an hour, you can have proof of concept of your product.

This would’ve been unheard of prior to all of the open-source opportunities that we have now. To build up something like an internet protocol stack, that’s quite difficult, but it’s part of Linux. It’s easy to get as open-source. So, this is part of this evolution. We have so much more connectivity because it’s so much easier to do. A start-up company of 12 people can take those steps that I just mentioned and then show off their cool new product to an investor literally the same day. So, this type of speed of development, low cost of development, and massive scale has made it possible to connect up all these devices.

The downside of all of this is, because we’re using common software, various versions of the Linux Kernel, we’re using operating systems so commonly, and these applications are reused over and over again. For example, the baby monitor or video camera application are reused over and over again, and then a single company might make one version of the product and label it differently for different brands that are sourcing it from the manufacturer, we end up with a lot of homogeneity in the marketplace. So, there’s a lot of commonness between the code for dozens of different, let’s say, baby monitors. That’s an opportunity for the hackers. If they figure out how to get into one, they’ve gotten into all of them.

And so, this is part of the evolution. We’ve gone from the toaster in 1990 all the way to this massive global ecosystem where we have a limited amount of software out there, and one model might be hundreds of thousands of devices in the installed pace, all possible to compromise with the same hacks. So, it’s been an amazing journey that has gotten us to ubiquity of connected devices, but also that ubiquity has brought with it this risk of compromise.

Alicia Malone: So, this brings me to Andrew. What does IoT security have to do with payment security?

Andrew Jamieson: Well, I think Mike gave a very good example of how things have grown over time with IoT and so forth, and I mentioned earlier that because of that, we’re seeing these systems deployed in commercial networks, and that’s really what it comes down to from our point of view. There’s a couple of avenues that interest us that we have interest in when we look at this from a security point of view. One of them is that when Mike was talking about the fact that it’s very easy to grab open-source software, Linux, other distros, other operating systems are open source, pop them into IoT systems and build up demonstrable examples very quickly, a lot of software is out there. A lot of software exists at the moment. The more we can do to make that software secure, the more secure everybody is across the world, regardless of what they’re doing.

I think, you know, at this stage of the pandemic, if I can head off on a tangent for a second, we’re all very familiar with the concept of herd immunity. Although the analogy is stretched a little bit, a similar kind of thing exists in security. The more we increase the security of individual software packages, of individual systems, that benefits everybody because these systems aren’t just used in the toaster. They’re also used in other areas. So, increasing IoT security increases security for everybody.

There’s also the avenue of these systems being deployed inside corporate networks. And to give the example of the toaster, no one’s going to hack your toaster so that they can change your toast preference from brown to slightly more brown and sit on the other side of the world and laugh maniacally about it. They’re going to hack your toaster so that they can get into your network and then pivot to something that hopefully is slightly more interesting to them. And the same thing applies to IoT in corporate networks. They’re not going to hack your HVAC system so that they can make you warmer when it’s hot outside. They’re going to do that so that they can pivot to other network systems, other computers, other data that is of interest to them. And when it comes to interesting data, when it comes to criminal elements, payment data is of course of great interest to them.

So, the more we can have secure IoT deployments, the more we can consider about is this IoT system secure when I buy it? Is it going to be maintained securely over time? And how do I make sure that it is deployed securely? The more we can ensure that we are protecting not only the corporate environment itself, but the cardholder data environment, that of course we’re interested in.

Alicia Malone: Mike, I’m curious to know what kinds of steps consumers can take to help ensure the safety and security of their smart devices. What questions should consumers be asking?

Mike Bergman: So that’s a great question. In the short term, when you’re looking for products, when you’re sourcing something, you want to choose a product from a manufacturer who has a security landing page on the website and can tell you answers to the questions that you should be asking, because you need to follow-up with, what are they doing about certain things? For example, does it meet certain technical standards, PCI DSS? Does it follow a broad industry standard as well, such as CTA 2088A, which comes from my organization? Another one is ETSI’s EN 303 645. These are baseline security standards that have minimum requirements and ensure that the product is at least solid enough to be offered for sale, at least.

In addition, the manufacturer should be able to talk about how they’re going to support the product. This is a point that Andrew had made. On their security landing page on their website, they should be able to tell you a little bit about how they do security updates. Do they do them for a certain period of time? Do they do them on an as-needed basis? How are they going to let you know that a security update is required and how does that security update happen?

Do they automatically push out a patch? That’s one option. Second option is they let you know that the patch is available and you initiate it. There’s a third option. They let you know that the patch is available and you have to go onto their website with a USB stick, download it to your laptop, then load it onto the device. A little bit harder, a little bit more complicated, probably less popular. So, how the security updates are delivered to your device is probably going to be important to you if you’re going to be making sure that those updates are happening.

There are other points in the IoT security system check list from the paper that we’re releasing. If you go through that list, it’s kind of a starting point for some of the things I’m talking about, some additional features that you want to be looking for in terms of security, now, immediately. Those are all those that you can do right now, to look for the security landing page on the manufacturer’s website, look at the white paper with regard to what they offer versus what you should be looking for.

And then in the longer term, what we’re seeing now is evolution of security labeling. So, this is a standardized label that’s either authored in a particular market or required in a particular regulatory environment. So, you might see, for example, if you go to the UK, you might see a particular label that says it meets a certain code of practice, or the EU, China, India, some of the Southeast Asian countries. There’s an initiative right now underway in the United States to develop a United States National Cybersecurity Label for connected devices. That’s very new, and you’re not going to find very much about that on Google yet, but look for that in a year. So right now, check the white paper, IoT Security in Payment Environments. And then maybe a year from now, you’ll start seeing security labels, particularly in the North American market.

Alicia Malone: Andrew, I found it interesting in the bulletin that there is a section explaining how IoT security controls can be mapped to the PCI Data Security Standard, or DSS. Can you talk a little bit more about this?

Andrew Jamieson: Sure. I guess there’s once again, a few avenues that this exists for and is interesting. And I’m going to start with a little bit of a secret, so, you know, this is just between us. Don’t tell anybody. But I’m a bit of a standards nerd. I think it’s always interesting looking at how different standards align, and often they have very similar requirements because they have very similar intents: the intent to secure systems, to secure software, secure devices and so forth. And so, part of the intent of that kind of mapping was to show that there is some alignment between what we require in our standards, like PCI DSS, and what other standards, IoT standards, like the C2 Consensus and so forth, are looking for as well with secure IoT.

The other tack is really to demonstrate that the IoT security, and you’re going to increasingly see IoT security being discussed and even labeled, as Mike mentioned, on devices. That doesn’t necessarily mean you don’t have to do anything else from our point of view. You might have a device that has been configured securely. It’s been designed securely. It’s got a guarantee of updates and maintenance over a period of time. That’s all great, perfect. Really good things to have. But then there’s an operational side as well. So, there’s a technical side that can be applied to devices and systems, and there’s an operational side that you need to consider when you’re deploying those systems.

And so part of that mapping is really to demonstrate that even though you have, for example, a secure IT device, that doesn’t necessarily guarantee it’s going to meet the requirements of PCI DSS, for example, because when we talk about, for example, in an IoT system secure data, there may not necessarily be considering payment data as secure data, but also when you’re deploying it, you need to consider the network controls for the network that it’s in, how you’re maintaining those systems, because even though patches might be deployed, maybe you have to consider that in your patch cycle. What are you doing when you’re testing these systems as part of your vulnerability scans and penetration tests? Are you including IoT in the scope of those, so that they can be considered?

So that’s kind of the angles that we’re taking here in terms of how do we make sure that when you’re looking at the security of your overall network, you’ve got in mind not just the systems that are handling cardholder data, the systems that are securing that cardholder data, but the systems that exist within those networks that could be used to pivot that you might not normally think about, these IoT systems. So, we’ll kind of bubble that up to top of mind.

Alicia Malone: Is there anything else our listeners should consider when securing the Internet of Things? What else is important for them to know?

Mike Bergman: I would say this: devices that are compromised may not show problems. It may be hard to see a device has been compromised just by looking at it. That doesn’t sound very helpful, but the fact of the matter is that along with the sort of vertical compromise that Andrew has mentioned where they’re looking to get into your network, pivot from some harmless device like a Wi-Fi thermostat to other parts of your network, and exfiltrate a database, I mean, that’s a pretty nightmare scenario for an IT department. And that’s the type of thing that you need to worry about. And at the same time, just it’s hard to look at a device and see that. So, you want to take the precautions that you can.

In addition, there’s a concern that they may not actually be interested in your network. They’re simply looking at attacking infrastructure by creating many linked together compromised devices into what’s called a botnet, a robot network. A botnet army of hundreds of thousands of devices took down the United States’ internet in 2016. It’s famously called the Mirai Botnet attack, and it compromised 150 websites. So, these are some of the most popular websites in the United States at the time, PayPal, eBay. It’s all over the map. You definitely want to take the problem seriously because there’s a lot that can happen if devices are compromised.

You may see slow performance. You may see funky performance. Devices may stop doing what they’re supposed to do, but the hacker actually is motivated to try to hide their operations as much as possible, so they want your device to continue working as much as it can until they need it. So, definitely take it seriously even though you don’t see what’s happening. Also look into configuring your router and firewalls appropriately because you can do more protection from those points of view as well.

Andrew Jamieson: Yeah, I think that’s a really good point. From the Council’s point of view, absolutely agree with everything that you said. It’s about not necessarily being able to look at a device and know that it’s compromised, that it may not be the intent to compromise that device. That device has functions and purposes, that connectivity that make it valuable to an attacker. I think it’s also important to really think about the lifespan of the deployment of these systems. You’re going to deploy them today, tomorrow, whatever it is. Where are they going? How are they going to be used? How long are they going to be there? Are they going to be maintained across that period of time? If you’re installing, let’s say, a television. You know what, maybe you’re going to replace that television in three- or five-year’s time. If you’re installing a HVAC system or if you’re installing an access control system, that’s probably going to have a longer lifespan.

You know, I would suggest it’s reasonable to have conversations with the suppliers and the vendors. How long will you be maintaining this system? If there is a vulnerability, will you be patching it? Can you demonstrate to me that you have supplied patches in the past? These are reasonable questions to ask, because it’s not just about the cost of the system upfront. It’s about the total cost of ownership across that lifespan. And it also comes down to what’s going to happen when you decommission these systems. Is there information in them that could be sensitive? How do you get rid of that at the end of it? Does it have information about your Wi-Fi? Maybe you’re going to install certificates in the system so that they can connect to your Wi-Fi in a secure way. If somebody comes along and pinches a telephone off your desk or if your telephone stops working and you throw it out, can somebody take those certificates out and suddenly very easily get onto your systems?

So below, we’ve talked a lot about securing the IoT systems, securing the networks in which they exist. I think it’s very important to have that holistic view of what are you doing, how long are you doing it for, where is it going, what are you going to do at the end of that? I realize that’s very complicated, very difficult to do, but unfortunately, it can be very important for security to take that point of view.

Alicia Malone: Before we wrap up, since you are on Coffee with the Council, we like to ask our guests how they take their coffee, or if you’re not a coffee drinker, what do you prefer instead?

Andrew Jamieson: All right. So, I love coffee. I’m a very big fan of coffee. I will generally take a latte when I’m taking a coffee, a café latte. I have my own coffee machine at home, and I’ve been making coffee myself at home for well over several decades now. Generally, I get up in the morning and I make myself and my wife coffee and I bring my wife coffee every morning that I’m at home. And I make the best coffee in the world, if I’m going to be perfectly honest about it. So, big fan of coffee, yes.

Mike Bergman: Wow. Okay. So, right now I want to come over and visit. I’m a fan of coffee too. I take it straight black. In the United States, we would call it American house coffee. Overseas, I order Americanos. Basically, that if the question is coffee, my answer is yes.

Alicia Malone: That’s great. And I agree too: coffee is key. Thank you both for joining me today on Coffee with the Council and thank you so much for the guidance on your joint bulletin.

Andrew Jamieson: Been great talking to you.

Mike Bergman: My pleasure. Thank you.

Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor, Pocket Casts, or Google Podcasts. Coming soon, the podcast will also be available on Apple Podcasts and RadioPublic.