It is literally impossible to keep pace with the potential uses of computing and communications technology loosely categorized as the Internet of Things (IoT). Though definitions and predictions on the level of ubiquity vary, there is universal agreement that this class of equipment and services increasingly will permeate just about everything consumers and businesses do. Indeed, it is safe to say that an individual will encounter IoT multiple times per day, often without realizing it.
That’s actually chilling. The IoT will offer such a buffet of opportunities to crackers that we all should be a bit afraid. And success, from the bad guy’s standpoint, isn’t just getting into somebody’s email. It could do such things as disrupt heart pacemakers, identify homes that are empty and ripe for burglary, raise the temperature in container trucks carrying sensitive cargo, turn all the lights green at intersections and so on.
eWeek and other sites report today that Cisco is sponsoring the $300,000 Internet of Things Security Grand Challenge. The contest was announced at RSA security conference last month. As many as six winners, each garnering $50,000 to $75,000, will be chosen by a panel of experts.
Chris Young, the senior vice president of Cisco’s Security Group, posted at the Cisco blog on the challenge on Feb. 27. He addressed the need:
For example, in the healthcare sector, it’s easy to imagine how Internet-connected devices and systems are revolutionizing patient care. In the transportation sector, technologists are already connecting vehicles and their subsystems to the Internet. It is also, unfortunately, too easy to imagine how these world-changing developments could go terribly wrong when attacked or corrupted by bad actors.
The call by Cisco and others is to accelerate work on this challenge. If the industry fails, the implications are dire. At Forbes, Debra Donston-Miller laid out the IoT security problem and offered four steps that Chris Clearfield, a principal at the SystemLogic consultancy, said should be taken in the creation of devices: Existing system engineering tools should be applied to the IoT threat, modular hardware and software designs should be used, open security standards should be employed where possible, and a “skeptical culture” should be encouraged.
At Electronics Weekly, Steve Bush got a bit deeper into the concepts around building security into devices and the web of interconnections into which they eventually will fit. The reality is that security must be job one at the granular level – how each device and application is put together – and at each successive higher level. These include how elements are managed and communications sessions are conducted. The problem, as with any other sort of electronic security, is that the people trying to use the systems for nefarious purposes are as smart and well trained and, in most cases, as well financed, as the good guys.
It is not difficult to understand the dangers of the IoT. Indeed, each story on the topic seems to have completely different, highly believable, very creative and extremely chilling scenarios. At this point, the best practice is simply to overprovision security at every step in the process.