Advocates say the Internet of Things is a multitrillion dollar business opportunity, but it's also a potential disaster for privacy and safety. Before we connect everything around us to the Internet, we need to think about security.
Internet of Things security is difficult to discuss because the concept is so immense. When you make "everything" IP-connected, how do you lock all of that down? Cars, cows, oil rigs, medical devices, refrigerators. There is no perimeter that can encircle all of that.
"The challenge we have is that each of those areas is really pretty separate," said Bret Hartman,
Bret HartmanVice President and Chief Technology Officer, Security and Government Group, Cisco
"The technologies working in those areas tend to focus specifically on their own area. It's not going to be one-size-fits-all for [Internet of Things] security."
Companies and individuals will also find that they lose a lot of control over where their data is and where it is going. When consumerization struck the enterprise, power and control over data and connectivity shifted from IT to the user. IT is still adapting to that shock. Now another shift is coming.
"Power is shifting from the user to machines," said Dipto Chakravarty, executive vice president of engineering and products at ThreatTrack Security Inc. "And when it shifts to machines, connectivity is the inverse to security. The more connectivity you have, the less security you have -- unless you can layer it in properly."
Internet of Things security: It's not easy
Locking down the so-called "things" on the Internet of Things is a daunting task because security takes computing power, and many things have only the bare minimum -- if that.
"Usually these endpoint devices aren't very big. They don't have a lot of compute power to do much, especially around security," Hartman said. "There are IP-addressable light bulbs. There's not a whole lot of processing power left in there for security."
Furthermore, wherever you have an IP-connected thing, you also have an operating system. Operating systems need to be patched. When they aren't, hackers find vulnerabilities. Botnets will find millions of new recruits in the form of zombie appliances and other "things."
These things are all communicating with each other, too. And they influence each other.
"How much is going to go wrong if someone hacks a cow's monitoring system?" asked Eric Hanselman, chief analyst for New York-based 451 Research. It's all just passive data collection. It's not a big deal." But data about a cow's health might go to another "thing" on a farm that crunches that data and spits out new data. Then that data goes elsewhere, all across IP networks.
"These are typically paths that are poorly protected. The bigger problem is not so much the endpoints, but the fact that the data paths themselves create a new attack platform."
"What if your microwave was taken over and it kept telling your fridge to shut down?" said Chakravarty of ThreatTrack. "You wouldn't know there was something wrong with your microwave. The user is slowly stepping out of the equation. We may be carrying a phone, but it's not just a phone. It's a transmitter and receiver that can propagate information exactly like a router would on a network."
Internet of Things security: How do you do it?
Some engineers say network monitoring is the way to solve the problem.
"It's much more about using the network fabric to watch traffic across all these devices and limit [that traffic] where there appears to be some abuse or potential attack happening, " Cisco's Hartman said. "In an industrial control system, you might change [a robot's] settings with a management console, but you wouldn't expect two robotic arms to reprogram each other. So you can look at that kind of traffic and say this shouldn't be happening. You can control and limit the traffic that goes among these [robots]."
Internet of Things security will also require encryption key management infrastructure and identity management systems that can scale into the billions, said Earl Perkins, research vice president for Stamford, Conn.-based Gartner Inc.
"We'll have to figure out a way to protect data in an environment like this, whether it's on [an] Internet of Things 'thing' or in an intermediate location," he said. "We'll have to revamp the way we look at encryption key management and identity management. We'll have to combine capabilities from identity management and asset management, because [people] are going to become [their own] personal cloud networks. The Internet of Things that you carry on your person and that you have at home are like a cloud of devices that surround you. You have an identity and the things have identity, but how do you keep [up] with the relationships between you and the identity of those things?"
The Internet of Things will also require a sophisticated approach to risk management. Not all of the devices on the Internet of Things will be new. Organizations are strapping IP connections onto legacy devices and systems to extract data. Those legacy systems will pose a higher risk than something engineered from the ground up to be an IP endpoint.
"You need to add intelligence to be able to deal with the level of risk [presented] by these older types of data sources," 451 Research's Hanselman said.
Internet of Things Security: Who owns the problem?
Clearly, there is a lot of work to be done in securing the Internet of Things. Before you even tackle the problem, you need to figure out who is responsible for it. Billions of new devices will start collecting and sharing data, and a wide assortment of companies will be enabling that. Who owns the problem?
"The issue is not clear at this point," Hanselman said. It's not even clear who would be held liable for damages associated with Internet of Things security breaches, he said. "If you look at the laws being handed down right now, the loss of privacy doesn't have an established value yet in the U.S."
The law is even murkier when it comes to liability for hacks of things that result in personal injury or real-world property damage, he said. For instance, the law is unclear about liability if someone hacks the braking system of a car, resulting in injury, damage or death. Is the car's manufacturer responsible for the security breach? "There will be case law that will establish this, but right now, they are out on a legal limb," Hanselman said.
In many cases, the manufacturers of the "things" on the Internet of Things won't be responsible for security. Instead, companies that provide the applications or connectivity will have to take charge.
"The problem of making sure the devices are secure will probably reside with those that provide a service through the device," Gartner's Perkins said. "It could be whoever is providing the application and service itself, or it might be the service provider that provides the network. It may be both. One of the big problems ahead of us is going to be the liability and legal implications of these devices running wild."
The Internet of Things could wreck your cloud
Where Internet of Things and facilities management meet
Google spent $3.2 billion on IoT player Nest Labs