The potential for big problems on the Internet of Things (IoT) makes for scary reading. Last week, The Internet Society released a document titled, “The Internet of Things: An Overview – Understanding the Issues and Challenges of a More Connected World.” It puts security at the top of the list of vital IoT topics, according to a blog at the society’s website by Karen Rose, the society’s senior director, Office of Strategy & Research:
As you will see in the document, we believe the security in the Internet of Things is perhaps the most significant challenge and we believe ensuring security in IoT must be a fundamental priority. Poorly secured IoT devices and services can serve as potential entry points for cyber attack and expose user data to theft by leaving data streams inadequately protected. A proliferation of poorly secured devices also has the potential to impact the security and resilience of the Internet globally.
The challenge must be faced at several levels. Lev Lesokhin, the executive vice president of Strategy at CAST, makes a very important point at Dark Reading. The IoT, he writes, is not introducing security vulnerabilities. Rather, it is increasing the possible damage that will occur when long-known vulnerabilities are multiplied by the huge increase in sensors and other elements that are deployed.
The situation is made worse for two reasons: Many of these devices perform very important – in many cases, life-controlling – tasks while they, at the same time, must be extremely inexpensive (after all, millions of sensors and related items must be produced). The need to cut costs to the bone can limit attention to security.
Lesokhin offers five rules for IoT software development: Proper code review and repeat testing is key; software assurance is vital; management should share some risk responsibility; organizations should “up the game” for structural quality analysis; and software quality and security should be prioritized.
With a bit of good news, Manufacturing.net reports on Verizon’s “State of the Market: The Internet of Things 2015” report. It suggests that the physical security of an industrial plant or any mission-critical facility can be improved by using the IoT.
Of course, no story on IoT security can be entirely free of dire warnings. The piece points to Sansa Security’s take that the IoT will lead to the death of the password. Simply, cloud-based password-cracking techniques will be capable of making as many as 300 million attempts in 20 minutes. Even a strong password won’t withstand that pressure for long (and the death of the password is, frankly, not really bad news).
The broad IoT industry knows the importance of security and is moving forward, it seems. Today, the AllSeen Alliance used its meeting in Seattle to announce security updates to the AllJoyn open source framework. The consortium, which is working on the AllJoyn framework for the IoT, said that it has updated encryption, authentication and device authorization. The deals are available at the AllSeen site.
At the highest level, the key here seems to be building robust security into the IoT at all levels from the ground up. Security as an afterthought, as per usual, is not likely to accomplish much.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.