It’s impossible to state accurately just how many devices are connected to the Internet. For one thing, the number changes by the minute as connections grow. For another, many if not most of those devices work quietly in the shadows simply doing their jobs and not attracting attention.
On my three-hour drive from my office near Washington to another office quietly nestled near the James River in central Virginia, I tried to keep track of just how many of those connected things I found along US Route 29, the primary highway in that area.
I was able to spot a few of them, but I know I missed thousands of connected things, either because they’re not readily visible or more likely because I was dodging crazed drivers. But I was able to see some of them, even if I gave up counting.
What were those things? Everything from sensors along the Norfolk Southern railway line that parallels the highway to traffic sensors embedded in the pavement.
There were water-level sensors near the stream beds next to bridges I passed over, monitoring devices on pipelines and agricultural equipment, and sensors in Virginia’s wineries that lie quietly in those mountain valleys a distance from the highway. And, of course, they were in gas stations and stores, on tractor trailers and in shipping containers.
As my colleague Todd Weiss pointed out in his story, many such devices communicate via satellite, while others use everything from wireless networks to Bluetooth and WiFi. In a vast percentage of these devices, there is no security.
In fact, many of the sensors—such as those that measure water levels or count rail cars—have been in place for decades, their only communication being an occasional burst of radio communications to an unseen server.
Nobody really knows for sure how many such Internet of things (IoT) devices are connected and communicating at any given time. Estimates by Cisco suggest that the total in 2015 may reach over 10 billion. By 2016, some estimates suggest that there may be more connected devices than there are people on Earth. Only a few high-profile devices have any security at all.
Those high-profile devices, including some Chrysler Jeeps that have been famously taken over by hackers, are getting attention because the results are so dramatic. Others, because the potential for harm is obvious, such as with point-of-sale devices, are starting to see some attention. But for most of the other devices, it’s business as usual.
In many cases, security is probably not necessary. After all, there’s not much point in hacking a connected rain gauge, since rain isn’t a big secret. But what about other devices such as pipeline sensors? Those are devices that monitor the flow of whatever is being carried in the pipeline.
How to Fix the Many IoT Security Gaps That Nobody Is Thinking About
Sometimes it’s water or sewage; sometimes it’s natural gas or petroleum. It doesn’t take much to understand the importance of a gas or petroleum pipeline, nor the catastrophe that could happen if the sensors are hacked right before someone attacks that pipeline.
As the September 2010 explosion of a high-pressure gas pipeline in San Bruno, Calif., demonstrated, such a catastrophe is indeed possible. While there’s no indication that tampering with sensors was an issue in that disaster, it demonstrates that there’s reason enough to protect such sensors and the data they provide.
While it’s likely to be nearly impossible to simply add security to existing sensors and controllers that make up this part of the IoT, perhaps it’s possible to begin with a more measured approach. Clearly some of those things are reporting on critical infrastructure and should be upgraded as quickly as possible. That is already a tough job, but probably not impossible since these devices need routine servicing anyway. Perhaps when they’re visited for service, the communications modules can be upgraded.
Other devices that normally aren’t considered part of the critical infrastructure may also need a look, such as controllers for traffic lights and embedded sensors in highways. One way to shut down a large city, after all, is to simply turn the traffic lights red—an approach that’s already been used in a couple of thrillers. While there are workarounds for that, including the time-honored approach of treating a broken traffic light as a stop sign, we all know how well that works in real life.
But again, while it’s probably impossible for cash-strapped local governments to replace their traffic light controllers all at once, perhaps it’s not so hard to upgrade them over time as they need routine service.
I can’t list all of the possible ways that the IoT could be turned against society. There isn’t space and besides most of it doesn’t apply to most of you who are reading this. But what does matter is the need for awareness of this issue.
Ask yourself what part of the IoT impacts your job. Then ask yourself how you can approach the security of the things that have an impact. Can you talk to your IT manager? Your factory floor supervisor? Your safety officer? Perhaps just asking the question is enough to start the process.
And if your job isn’t impacted by any part of the IoT, then perhaps your life outside of work is. Maybe it’s time to start calling your state legislator or your local mayor about security of the traffic sensors. It doesn’t matter what part of the IoT you help secure. Eventually, every part will need some attention. What matters is that it starts somewhere.