Don’t Short-Change IoT Security

When we talk about the Internet of Things, it’s easy to get swept away by the sheer magnitude of the IoT market opportunity. After all, the numbers are enormous.

  • More than 20 billion connected things by 2020 (Gartner).
  • Over $11.1 trillion in annual economic value by 2025 (McKinsey).
  • Worldwide spending on IoT solutions eclipsing $770 billion in 2018 (IDC).
  • One trillion embedded sensors operating globally by 2022–growing to more than 45 trillion within 20 years (Cisco).

Yes, the IoT numbers are enormous. But that’s not only thing that’s enormous. So is the IoT cybersecurity risk.

Look, there’s no debating IoT’s potential to be the greatest technology transformation agent since the integrated circuit. That’s because IoT already is changing the way we work, live, play, and interact with each other. But any time you connect things to each other, to the cloud, and to our most sensitive data, bad things can happen. Unfortunately, we already have firsthand knowledge of this.

Just ask the executives at Target, whose momentous data breach several years ago was facilitated by a hack of an HVAC system. Or anyone slammed by the Mirai virus, dubbed the “botnet of things.” Or targets of Stuxnet, which infiltrated operational systems such as nuclear reactors through industrial programmable logic controllers.

Yes, IoT represents both an incredible business opportunity and a terrifying cybersecurity threat. Now, let’s take a deep breath, step back, and try to assess this rationally.

A sober, balanced take on the tradeoffs when implementing IoT solutions has been offered by Jennifer Steffens, CEO of IO Active, an IoT consulting and research organization that has analyzed IoT cybersecurity risks on everything from heart defibrillators to automobile braking systems. Her take on IoT risks and rewards appears in the second edition of Navigating the Digital Age (published by Palo Alto Networks), and it addresses the subject with both excitement and reason.

“Smart cities, intelligent dialysis machines, and self-replenishing retail shelves all are examples of using IoT to enhance our lives at work and at home,” she recently wrote. “An IoT-enabled hairbrush is not.”

Of course, there are tons of real-world use cases where IoT already has made inroads and has delivered real value to businesses, organizations, municipalities, and consumers. Inventory control in retailing and wholesale distribution, manufacturing floor workflows, RFID in third-party logistics, and smart power grids are just the tip of the iceberg.

In her chapter, she makes a powerful point that I am starting to hear with more and more frequency: Just because something can be connected doesn’t mean it should be connected. Her thrust here is that some applications are head-scratchers, like that IoT-enabled hairbrush mentioned, but the bigger problem is that some applications open up more security risks than organizations know. And sometimes, that risk/reward ratio is way out of balance.

“Any time you connect something to another device, a computer network, or the internet, you are opening up potential new avenues for intrusions and breaches,” she emphasizes.

There are several reasons why IoT has become a flashpoint for cybersecurity risks. For instance, unmanaged endpoints such as chips, sensors, microcontrollers, and other neo-digital systems lack the automated security we now expect and often take for granted in traditional IT systems. Also, the attackers are increasingly teaming up, sharing information about vulnerabilities, tips, and tricks about hacking into everything from environmental control systems to ATM machines. The good guys, by comparison, continue to slog away on their own, missing a golden opportunity to marshal resources beyond their own limitations.

OK, the risks are becoming more apparent every day. But have we learned anything yet about good IoT cybersecurity hygiene? Fortunately, yes. There are several best practices emerging that business leaders–not just CISOs, but especially CEOs and board members–need to keep in mind when introducing IoT into their operational processes or using the technology to launch new customer-facing products and services. One of the most basic includes designing security into IoT systems before they hit the market–or even before they get to the internal review stage, because it’s a lot safer and cheaper to account for IoT security before the product or solution becomes operational.

It’s also critical to make IoT cybersecurity a team sport, with the responsibility being shared among all critical business functions– developers, engineers, marketers, financial types, and, of course, cybersecurity professionals. This is not just the security team’s problem, as your organization will quickly find out when customers revolt after their personal data is compromised by an unmanaged endpoint such as a digital camera or a loading dock portal.

But probably the best advice is to remember that if something can be connected, it can be hacked. And if it can be hacked, it will be hacked.

So, go ahead and innovate around IoT. The upside is too great to stick your head in the sand simply because there are security risks. But remember to pay attention to IoT security now, before your intellectual property is exfiltrated and posted on Wikileaks, or the braking systems on your field service fleet vehicles are disabled.

And remember what Jennifer Steffens tells us about that smart hairbrush.