Securing Billions of IoT Devices Poses Mind-Boggling Challenges
There's also the question of what needs to be secured. During the IoT security conference in May, Emil Sturniolo, managing partner with the InStep Group, a product development consulting firm, said vendors and end users "need a paradigm shift in how we think about this. It's not, 'What is secure?' It's, 'How secure does it need to be?'" Gilchrist pointed to Bluetooth as an example of how many view security. When the technology first came out, there was scant security in it. It wasn't until Bluetooth-enabled devices became popular that improved security was built into it. For many people, "there's no point in securing something until you know if it has value," he said. "Once there is value there ... yeah, it is worth securing. It goes a while before it's secured." Geir Ramleth, co-founder and CEO of startup IoT platform maker Octoblu, said businesses and device users need to look at security on a sliding scale and decide where on that scale they're most comfortable. He also noted that it's the data inside the device that is most important.The fact that many of these new connected devices will be in homes and cars where there are few, if any, tech experts makes the IoT even more precarious and adds fuel to the argument that devices and data need to be even more secure. Dell's Ferguson noted that in an environment where everything from the television to the refrigerator to the thermostat is connected, "in the IoT, the system administrator in the home is my mom." A key reason security is such a problem in the IoT is that people don't understand how dangerous networks can be, and how resilient the devices must be to cope in that environment, according to Billy Rios, director of threat intelligence at Qualys. "Networks are really evil," Rios told eWEEK. "People just assume it's a nice place to be, but it's really a harsh place to be if you're a device or system. ... They don't expect networks to be really hostile, but they are really hostile." Despite the rush to put out IoT devices and products, efforts are under way in the industry to address myriad security issues. For example, Cisco officials in March kicked off the company's IoT Security Grand Challenge, offering $300,000 in prize money to people who come up with the best security-related solutions and approaches for the IoT by June 17. The competition drew more submissions than expected, forcing Cisco to extend the deadline to July 1. In addition, at the Black Hat 2014 security conference in Las Vegas starting Aug. 2, a number of workshops and panels will touch on such issues as security around embedded devices, home automation and security—including one session titled "Smart Nest Thermostat: A Smart Spy In Your Home"—and mobile security. The growing number of vendor-led IoT industry groups aimed at creating standards around device communications also is looking at security. Liat Ben-Zur, senior director of product management at Qualcomm Connected Experiences and chairman of the AllSeen Alliance, told eWEEK in June that the group's AllJoyn framework will help users reduce the attack surface by giving them control over which intelligent systems they want to connect to the Internet.
"Securing systems ... is the old game," Ramleth told eWEEK. "It's securing the information that's the new game. ... If you can decide where you want to be on that sliding scale, the benefits will outweigh the risks."