Fitness-tracking bracelets. Smart refrigerators. Internet-accessible home security cameras. These devices--which are not traditional computers but yet communicate via the Internet--are all examples of the rapidly expanding "Internet of Things (IoT)."
While the IoT has brought us cool, life-improving technology that might have been considered science fiction just a few years ago, it also introduces various security and privacy concerns.
On Monday I attended the National Cyber Security Alliance's (NCSA's) Cybersecurity Summit at the NASDAQ in New York City, at which various experts discussed securing the IoT.
Here are some interesting, and important, takeaways:
- The IoT is growing rapidly--Cisco estimates that within five years there will be as many as 50-billion IoT devices connected to the Internet. Criminals, of course, are aware of this trend as well, and will seek to exploit it for their own gain.
- IoT is highly personal - People often view IoT devices as much more "personal" than they do their computers or even their smartphones. In fact, NCSA's Executive Director, Michael Kaiser, noted that in many ways the IoT is really an "Internet of Me"--connected devices gathering and transmitting highly personal information about their owner. RSA's Chief Information Security Officer, Janet Bishop-Levesque, expressed similar sentiments and cited examples of Internet-connected baby monitors, insulin pumps, and pacemakers--devices that people often naturally consider far more personal than computers.
- People are realizing that IoT devices create security concerns - Tim Fitzgerald, Chief Security (CSO) of Symantec, noted that he realized how much awareness and attitudes regarding information security had changed when he heard his mother start discussing information security concerns.
- IoT is industrial, not just consumer facing - Contrary to the perception of many consumers, a significant percentage of connected devices are industrial. While new devices in this area are often equipped with various security measures, older ones--and older devices being retrofitted with smart technology--often fall short in this regard, a problem that, as Ed Amoroso, CSO of AT&T, pointed out, could lead to serious security problems.
- Communications create serious security concerns - Sven Shrecker, chief architect of IoT Solutions at Intel, pointed out that even if we somehow perfected the process of creating secure devices, and even if every computer and device connected to the Internet were completely secure, we could still experience serious security problems because the communication between devices itself may create vulnerabilities. This is also true because...
- Security of IoT devices degrades with time--As new vulnerabilities are discovered, new protocols put into use, and new technologies emerge, IoT devices that were once considered adequately secure may no longer be trusted. Manufacturers cannot simply follow the long-established model of producing devices and supporting them as is--they need to be able to update them as necessary; such a requirement might require major organizational transformations within device manufacturers. How many appliance manufacturers, for example, are well-equipped to produce, manage, and deploy en masse urgent patches and software updates? As John Ellis, Founder and Managing Director of Ellis & Associates, pointed out, vendors used to ship products and forget about them, now they must "ship and remember."
- Consumers will ultimately demand better security, and will choose products from vendors that prove through action that they are taking people's security needs seriously. As Fitzgerald noted, "customers will self-select applications, devices, and companies" that offer better security than alternatives.
- IoT devices are often easy to impersonate, which is a potentially serious problem, that was noted by Miller Newton, CEO of PKWare. Hackers could set up computers that pretend to be various devices--and thereby steal significant amounts of private information, or even impact the performance of those devices.
- We are way behind. David Burg, Global & U.S. Cybersecurity Leader at PwC, mentioned that while there has been a 157 percent increase in attacks against IoT devices in the last year alone, a recent PWC survey indicated that only 36 percent of businesses actually have a strategy for managing IoT devices. That leaves a lot of room for desperately-needed improvement, and, as David Kleidermacher, CSO at Blackberry, explained, "if we have trouble now trying to secure a couple billion devices connecting, imagine what it is going to be like in the future" when many times more devices will be online.
- We have the opportunity to get IoT security right - Cisco's Chief Information Security Officer, Steve Martino, mentioned that IoT device manufacturers should ensure that security is properly implemented from the get go, rather than addressed when problems occur. Unlike vis--vis the Internet in general, which was initially envisioned as a mechanism for linking universities doing research and which required little security, IoT is emerging in an era in which we already understand the need for security, and pertinent security-related activities can be incorporated into every stage of the product development lifecycle.
Please feel free to discuss this article with me. I'm on Twitter at @JosephSteinberg.