Internet of Things Presents Host of Security Challenges

At a forum about IoT security, speakers say the number of challenges are outpacing the possible solutions.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

CAMBRIDGE, Mass.—Emil Sturniolo doesn't want to see the burgeoning Internet of things go the same way the Internet did almost 30 years ago, at least not when it comes to security.

It was the late 1980s when concerns were being raised about security around the then-nascent Internet, but most people involved with its development were more enamored with the potential the Internet offered to enable people to collaborate and conduct business. The issue of security was pushed to the side, said Sturniolo, managing partner with the InStep Group, a product development consulting firm.

"What we did was [say], 'Damn the torpedoes, full steam ahead,'" he said. "There was implicit trust that [people] would do the right thing. Now there are billions of devices connected [to the Internet], and now we're trying to go back and fix the problems."

Many people who are looking at the Internet of things (IoT) are in the same way awed by the promises of efficiencies, business capabilities and data capture that having billions more connected devices will bring, and there doesn't seem to be the necessary urgency about the security threat scenarios that can arise when so many systems are connected via the Web, Sturniolo said. If those concerns aren't addressed early enough in the evolution of the IoT, it may be difficult to catch up later in the game, he said.

Sturniolo was one of several speakers at the Security of Things Forum here May 7, an event sponsored by the IT security blog Security Ledger aimed at addressing the issue of security in the IoT age. The event featured several speakers and panel discussions that gave shape to the myriad issues surrounding the thought of having to secure all the connected devices expected to come online in the coming years.

The forum laid bare the multitude of challenges facing security professionals, from the technological barriers to the reluctance of many businesses to spend money on security to the complacency many people have around protecting their data. There was little consensus on the best ways to solve the problems, or what the key problems are. However, there was agreement that steps need to be taken now, before the industry gets overwhelmed by the sheer number of devices and systems that become connected over the Internet.

"The IoT … should raise the hackles on every neck, given our current" security situation, said Dan Geer, chief information security officer for venture capital firm In-Q-Tel.

The Internet of things refers to the growing number of systems and devices—from automobiles and manufacturing systems to wearable devices, appliances, surveillance cameras, medical systems and televisions—that are being infused with intelligence and connected to the Internet. These systems will increasingly generate enormous amounts of data that organizations will be able to leverage for their business efforts, hospital staffs will be able to use in patient care and consumers will be able to see as they go through their fitness regimens.

The growth in these connected devices will spike over the next several years, according to numbers accumulated by Cisco Systems. The number of connected systems will grow from 10 billion this year to 50 billion by 2020. What Cisco officials call the Internet of everything will generate $19 trillion in new revenues for businesses worldwide by 2020, and IDC analysts expect the IoT technology and services market to hit $8.9 trillion by the end of the decade.

However, while it may prove a financial boon for businesses and meet consumers' insatiable desire for more devices, the IoT also will increase the potential attack surface for hackers and other cyber-criminals. More devices online means more devices that need protecting, and IoT systems are not usually designed for cyber-security, said Marc Blackmer, product marketing manager for industry solutions at Cisco. The sophistication of cyber-criminals is increasing, and the data breaches that are becoming increasingly familiar will only continue.

"This is not going to change," Blackmer said. "It's not going to go away. … As long as there's money to be made, it's going to happen."