CAMBRIDGE, Mass.—Emil Sturniolo doesn’t want to see the burgeoning Internet of things go the same way the Internet did almost 30 years ago, at least not when it comes to security.
It was the late 1980s when concerns were being raised about security around the then-nascent Internet, but most people involved with its development were more enamored with the potential the Internet offered to enable people to collaborate and conduct business. The issue of security was pushed to the side, said Sturniolo, managing partner with the InStep Group, a product development consulting firm.
“What we did was [say], ‘Damn the torpedoes, full steam ahead,'” he said. “There was implicit trust that [people] would do the right thing. Now there are billions of devices connected [to the Internet], and now we’re trying to go back and fix the problems.”
Many people who are looking at the Internet of things (IoT) are in the same way awed by the promises of efficiencies, business capabilities and data capture that having billions more connected devices will bring, and there doesn’t seem to be the necessary urgency about the security threat scenarios that can arise when so many systems are connected via the Web, Sturniolo said. If those concerns aren’t addressed early enough in the evolution of the IoT, it may be difficult to catch up later in the game, he said.
Sturniolo was one of several speakers at the Security of Things Forum here May 7, an event sponsored by the IT security blog Security Ledger aimed at addressing the issue of security in the IoT age. The event featured several speakers and panel discussions that gave shape to the myriad issues surrounding the thought of having to secure all the connected devices expected to come online in the coming years.
The forum laid bare the multitude of challenges facing security professionals, from the technological barriers to the reluctance of many businesses to spend money on security to the complacency many people have around protecting their data. There was little consensus on the best ways to solve the problems, or what the key problems are. However, there was agreement that steps need to be taken now, before the industry gets overwhelmed by the sheer number of devices and systems that become connected over the Internet.
“The IoT … should raise the hackles on every neck, given our current” security situation, said Dan Geer, chief information security officer for venture capital firm In-Q-Tel.
The Internet of things refers to the growing number of systems and devices—from automobiles and manufacturing systems to wearable devices, appliances, surveillance cameras, medical systems and televisions—that are being infused with intelligence and connected to the Internet. These systems will increasingly generate enormous amounts of data that organizations will be able to leverage for their business efforts, hospital staffs will be able to use in patient care and consumers will be able to see as they go through their fitness regimens.
The growth in these connected devices will spike over the next several years, according to numbers accumulated by Cisco Systems. The number of connected systems will grow from 10 billion this year to 50 billion by 2020. What Cisco officials call the Internet of everything will generate $19 trillion in new revenues for businesses worldwide by 2020, and IDC analysts expect the IoT technology and services market to hit $8.9 trillion by the end of the decade.
However, while it may prove a financial boon for businesses and meet consumers’ insatiable desire for more devices, the IoT also will increase the potential attack surface for hackers and other cyber-criminals. More devices online means more devices that need protecting, and IoT systems are not usually designed for cyber-security, said Marc Blackmer, product marketing manager for industry solutions at Cisco. The sophistication of cyber-criminals is increasing, and the data breaches that are becoming increasingly familiar will only continue.
“This is not going to change,” Blackmer said. “It’s not going to go away. … As long as there’s money to be made, it’s going to happen.”
Internet of Things Present Host of Security Challenges
There is a litany of challenges in making the IoT secure, and each idea seems to lead to a new set of concerns, dilemmas and choices to be made, the speakers said.
On the technical side, how can so many connected devices by protected? The idea of issuing standards and requirements on systems and their components was raised, but what may be acceptable in the United States may not be acceptable in Europe or Asia, Sturniolo said. It could be costly for businesses to develop a range of SKUs for various regions.
Greer said that he believes a key problem are the billions of embedded systems that are deployed and run for years with little, if any, human intervention. As these systems become more intelligent and connected, the industry and businesses need to decide whether they should come with management interfaces that enable IT professionals to communicate with them—but which also would increase their exposure to attacks—or whether there should be no connected management capabilities, making it impossible to detect an issue with them until something goes wrong. Maybe such embedded systems should be designed with self-destruct capabilities after a certain amount of time, he said.
To Mark Stanislav, security evangelist at Duo Security, the question of IoT security is really about traditional IT security.
“Unless we can solve embedded software and network security, we solve IoT security,” Stanislav said. “These [parts] of IoT are what make IoT a thing.”
Businesses also have choices to make. They tend to operate on cost-benefit models, where spending decisions often are made based on how much of a financial return can be made. Stacy Cannady of Cisco and the Trusted Computing Group said security professionals need to be able to make their cases in similar fashion if they’re going to influence business decisions.
“If we want a seat at the table, we need to speak the same language everyone else is speaking,” Cannady said.
Businesses are going to have to decide whether they will spend the money to make their infrastructures more secure or risk being attacked, the speakers said. Cisco’s Blackmer said too many businesses are being complacent about the dangers, figuring that since they haven’t been compromised, they’re safe.
Consumers also have decisions to make, according to some of the speakers. Sturniolo said that the industry will not be able to secure every device all the time, so consumers and businesses need to decide what needs to be secured, and how much are they will to pay to have that security.
“We need a paradigm shift in how we think about this,” he said. “It’s not, ‘What is secure?’ It’s, ‘How secure does it need to be?'”
Cannady said consumers and enterprise buyers need to be more active in pushing system vendors about security. He likened it to buying a car. If a buyer tells the car dealer what make, size and color he wants the car to be, the dealer will talk to him in those terms.
“If they don’t ask about cyber-security, they won’t get cyber-security,” he said.
Cannady also said a problem is that devices now don’t have much security, so the industry is in a difficult position when talking about trying to secure the billions of new devices that will come in the next few years.
“We have a very basic set of problems to solve on a very large scale,” he said.