The Internet of Things (IoT) is big, amorphous, somewhat mysterious and quickly evolving. It is stuck in the gray area between concept and reality.
That makes discussing IoT security difficult. The good news, however, is that people are discussing and debating IoT security from both the conceptual and product perspectives.
The challenges of IoT security were featured this week when The New York Times focused on The Defense Advanced Research Projects Agency (DARPA), which is offering prizes in the millions of dollars range in the Cyber Grand Challenge. The idea is to develop technology to allow the IoT to more or less police itself:
To win, contestants would have to create automated digital defense systems that could identify and fix software vulnerabilities on their own — essentially smart software robots as sentinels for digital security.
The serious nature of IoT security is illustrated in the piece by the news of two recent IoT-related hacking incidents. Level 3 Communications came under attack from malware launched from IoT devices. Akamai Technologies had been attacked by hackers testing whether they could use stolen names and passwords to gain access to websites.
All in all, it’s not a pretty picture. An exhaustive survey conducted on behalf of ForeScout by Quocirca found that organizations are concerned about the IoT, even as they seek to take advantage of what it has to offer.
The key, according to the conclusion of the research report, is that systems must be implemented that allow the discovery and classification of IoT devices. This means that “previously unknown devices and those running unusual operating systems” can be tracked and therefore securely accommodated. It also means that permanently connected devices must also continually be monitored, managed and secured.
In short, the job of IT security teams is more complex and demanding than it was just a few years ago. Computerworld’s Evan Schuman wrote that enterprises face three dangers: Being attacked from outside, having compromised devices belonging to the company attack others or having these devices attack internally. A big part of the challenge is that IoT functionality is increasingly embedded in elements, such as LED light fixtures, that are not signed off on by the IT department. The fixes to this, Schuman writes, are to train staff on where the IoT resides and to require IT or the CISO to sign off on purchases.
The IoT has great potential benefits. As time goes on, however, the potential for damage seems to equal or outweigh that upside. It seems that vendors are recognizing another type of potential: that of making money developing the technology that will keep those worst fears from being realized.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at [email protected] and via twitter at @DailyMusicBrk.