This is not an article about why the Internet of Things is a big business opportunity. You already know that. Nor is it going to be about the fact that IoT initiatives need to account for cybersecurity requirements. You already know that, as well.
What this article is about is the need for some straight talk and a reality check in dispelling some misconceptions, half-truths and mistaken assumptions about IoT cybersecurity. I call them The 3 Myths of IoT Cybersecurity, and they can sidetrack your organization’s efforts to realize the heady business potential of IoT.
Myth #1: IoT Cybersecurity is a Consumer Problem.
It’s not surprising that this one has spread wings and gained wide acceptance. It seems like every week, there is high-profile media coverage of an IoT consumer glitch that becomes “Facebook-worthy.” It might be a botnet attack that prevents us from taking money out of ATMs, a city being unable to turn on street lights, or even a voice synthesis chip in a child’s toy broadcasting its location.
But while consumer glitches like these gain a lot of hype, the stark truth is that industrial IoT–stuff like SCADA controllers, inventory management, and global supply chains–outnumber consumer IoT use cases by more than two to one. And, when you account for the money spent on those IoT solutions, the industrial applications–often referred to as “operational IoT” because they often affect critical infrastructure–outpace consumer applications by 5-to-1.
Understandably, the consumer IoT glitches get headlines and lots of heat on social media. But it’s very important for business leaders to understand that their business applications are far more susceptible to cybersecurity problems, and those are going to have big financial, legal, regulatory, and brand implications.
Myth #2: It Can Be Fixed By the Device Manufacturers.
We ran into this a lot when notebook computers proliferated and became a popular point of attack for hackers. A lot of fingers were pointed at Microsoft for supposedly not taking seriously the security implications of the Windows operating system and the new use cases for notebooks often outside the control and monitoring of IT organizations. But the lesson we all learned was that you can’t make a laptop that is fully impervious to security problems, and you can’t do it for IoT devices, either.
There are several reasons why. First is what I call financial appropriateness. The cost factor of the device is going to set a bar on how much I can spend to secure it. If I want to sell a “smart fan” for $90, I can’t spend $200 to fully secure it. I can do that for a plane or a car, but not most everyday consumer devices.
Second, there are resource issues with the devices. Let’s say I have a device that I actually can secure for a small amount of incremental money. That’s great, but that’s not the only issue. My developers will have to beef up the processor power of the device to support it, and they might not have an operating system with enough functionality to handle it, either. There are other issues, as well, like the physical real estate that necessary to support security functionality, or if it increases cooling requirements on the device.
Third, there is the reality of the extreme heterogeneity of the environments where IoT devices are going to be used. Even if I could overcome the problems with cost and resource issues, I still have to find a way to make my device secure in to run on a wide range of architectures and infrastructures where IoT is going to live. There are going to be countless devices–all different types of things, and all connected–that will touch each other, requesting and sharing data. That’s a recipe for disaster if cybersecurity is addressed only at the device level.
Myth #3: It’s a “Special” Problem That Can’t Be Addressed by Conventional Security Means
Be careful when you hear this one. Chances are someone is trying to sell you on the need for a unique, maybe even proprietary, solution for behavioral analysis, deep learning, or data science.
Those are important functions and potentially exciting tools, but throwing them out as panaceas obfuscates the fact that cybersecurity for IoT is a lot of basic blocking and tackling. Sure, there are things about every IoT-enabled device and IoT use case that have their own twist and need to be accounted for in designing security into IoT solutions.
It’s a lot like the protocols set up for driving in our cities. Driving “works”–meaning, it’s relatively safe and efficient–because we have protocols for street design, where to place traffic controls, and what signage looks like. People aren’t driving haphazardly and routinely ramming into fellow drivers (even New York City taxi drivers usually follow those protocols).
It’s the same thing with IoT. We are creating “swim lanes” that provide direction to product designers and security specialists so they know how data protection works with this device, or authentication works with this service. These standard protocols help us disarm 90% of initial threats immediately.
Prevention is More Important Than Detection
In the end, “detection” is the worst-possible outcome for an IoT device. Detection means that damage has already occurred and likely has spread. Our IoT cybersecurity philosophy needs to be rooted in stopping problems from entering our digital sphere in the first place.
After all, if swine flu or Ebola break out in a city, people die. If you’re a CEO, you can’t afford to have the digital equivalent of the bubonic plague turning your prized IoT initiative into a cautionary tale.
Just don’t pay attention to those myths. They’re shiny objects that divert your attention from the stuff that really matters.