The Internet of Things is wide open to attack; security must become a priority or the connected world will crash.
When Back to the Future II was first released, we watched in awe when Marty McFly gave voice commands to his TV and lights, and used biometrics to unlock doors rather than physical keys in his smart home, where video conferencing was a regular staple. It’s hard to believe that those concepts, so radical to us then, are very real and functioning now in 2016.
The era we used to dream about and discuss in movies, where information and artificial intelligence were at our favorite characters’ fingertips, is upon us. The Internet of Things (IoT) is expanding rapidly, and as we await the new exciting business and lifestyle enhancements that connected technology can bring, we must also confront many new security challenges.
New Threat Landscape
Consider the potential for improving patient outcomes with connected medical devices . . . and then the inherent dangers if attackers motivated by mischief or worse intentions were to hack into medical devices to stop pacemakers, alter infusion pumps, or steal patient records to blackmail high-profile individuals. Think about smart cars helping avoid collisions or avoid heavy traffic jams—until the system is hacked and cars are turned into weapons on the freeway. Plant managers could better manage community water supply, especially during a time of drought, with sensors in place to give real-time readings, but what if a hacker opened the floodgates at the wrong time, sending cascading waters upon unsuspecting communities?
Attackers are only evolving their levels of hacking sophistication, and the Internet of Things has a number of authentication and security vulnerabilities that leave it wide open to attack. However, there are existing technologies, such as PKI, that can play a key role in securing connected homes, enterprises, and networks.
Industry collaboration and focus will help the connected world move towards stronger security and authentication controls being put in place. This challenge must be considered in terms of scale (the sheer volume of devices needing to be secured so they can communicate safely with proper authentication in place), the diversity of devices (many of which were never built for the Internet and lack computational power or the ability to communicate over Internet-based protocols), and cost (to successfully embed security on devices—both legacy and those in production—in a way that meets the bottom line and also provides seamless security that does not require users to do too much).
Rising to the Challenge
Because of the many security challenges the IoT presents, CISOs and CSOs now play a larger and evolving role within their organizations. This is an opportunity for security experts to redefine what they bring to the table. For too long, we’ve been viewed as a cost center rather than vital to bottom line success. We’ve been stereotyped as the nerds in the weeds and as those locking down the enterprise so that nothing works.
Now, we have an opportunity to shine, to build bridges to operational technology engineering, marketing, the C-suite, and others in order to properly convey the risks of IoT, as well as the brand-building, profit-making opportunities available through security. We can be true stewards in evaluating risks to our organization and presenting them in business terms.
DigiCert will be at the epicenter of IoT advancement this week at IoT World in Santa Clara, California. I’ll be joining a panel at IoT World, alongside other CSOs and CISOs, to discuss these challenges of IoT security and the changing roles for CISOs. I look forward to the discussion and hope others will join me: https://iotworldevent.com/agenda/day-2/. Certainly, we won’t solve all of the IoT security challenges in one session, but we’ll enjoy a lively discussion, which are critical to making the Internet of Everything a success and not a catastrophe.