CAMBRIDGE, Mass. — Among the number of provocative points that Dan Geer, the CISO of In-Q-Tel, makes about embedded systems and supply chain risk, one stands out: The systems are immortal.
They are immortal in the sense that they can continue to function for years at an assigned task. "The longer lived these devices," said Geer, "the surer it will be that they will be hijacked within their lifetime."
"Their manufacturers may die before they do — a kind of unwanted legacy much akin to superfund sites and space junk," said Geer. So something has to be done.
Geer raises the argument that embedded systems without a remote management interface, "and thus out of reach, are a life form," and "as the purpose of life is to end, an embedded system without a remote management interface must be so designed to be certain to die no later than some fixed time."
"Conversely, an embedded system with a remote management interface must be sufficiently self-protecting that it is capable of refusing a command," said Geer, speaking at The Security of Things Forum held here Wednesday. The event is organized by The Security Ledger.
"Inevitable death and purposeful resistance are two aspects of a human condition that I think we need to replicate" in these systems, said Geer.
In-Q-Tel is the U.S. intelligence community's venture funding operation. It searchers out start-ups with technologies that may help with national defense. Geer said he was speaking for himself at the forum.
The use of embedded systems are multiplying, thanks in part to the Internet of Things (IoT). Creating IoT-enabled devices involves taking either existing or new machinery of any type and equipping it with sensors, connectivity and some computing capability for a predefined task — an embedded system. But IoT devices are also designed to communicate with other machines. Thus, the risk isn't isolated.
"As society becomes more technologic, even the mundane comes to depend on distant digital perfection," said Geer.
In terms of being more technologic, Geer points to the food pipeline, which he said has less than a week's supply in it. But everything in that pipeline depends on digital services, from GPS driven tractors, irrigation systems, robotic vegetable sorting, and RFID-tagged livestock as well as supply chain logistics.
Is all this technological dependency, said Geer, "making us more resilient or more fragile?"
An embedded system has a dedicated task and may be paired with an application-specific integrated circuit, and hardwired to do something specific. But they can also be paired with a more general purpose processor. It may include sensors and wireless radio. An embedded system may run machinery in any industry imaginable, as well as in public utilities. Their use is expanding as device makers seek to connect and control a wide variety of things.
Sign up for CIO Asia eNewsletters.