Security in the Internet of Things

Richard Knowlton, author of Internet of Things

Written by Richard Knowlton, Chairman of Richard Knowlton Associates

There’s no doubt that Internet of Things (IoT) security needs careful thought for all these reasons:

Complexity. We’re talking about extraordinary numbers of individual devices (sensors and actuators), in the tens of billions. The fact that estimates of these numbers vary so widely suggests that nobody really has much idea of how many devices there will be in 2020 or 2030, let alone in 2050. And of course, complexity increases with the fact that the design and build of these devices does not mean that they include any common criteria.

Speed. The IoT is being rolled out at breakneck speed. As one of our speakers commented this morning, using a flight analogy: “the leading edge is always going to be some way ahead of the trailing edge”. This means that we must expect security casualties.

Scale. IoT systems may comprise vast global networks and extensive attack surfaces. And they intersect the virtual, physical and biological worlds.

Security vulnerabilities. We always need to put the needs of the business at the heart of security. But business often does not see security as a priority. Product designers and marketers frequently see security as something that only adds delay, cost and complexity to the brilliant gizmos that they just want to get to market.

Asymmetric threats. We face the ingenuity of hackers who find it all too easy to monetise vulnerabilities, and states who want to use them for other purposes (espionage, influence or even weaponisation).

Impact. When there’s a major incident, we may be talking about scenarios where people will die, or there’s a catastrophic effect on the environment or on daily life.

Can we manage the threats?

An interviewer (a non-specialist, non-security person) asked me the good question that all citizens should be asking, frankly: “can we manage the security of the IoT – or should we be really frightened?”.

I’ve been arguing strongly in recent months that we need a sensible debate about how to balance the enormous benefits of IoT and the digital revolutions, with the undeniable security, safety and privacy problems which they bring.

We are already seeing thoughtful voices questioning whether the digital revolution is going too far and too fast. I’m thinking of columnists like Clare Foges (in the Times, of London) and Izabela Kaminska (in the Financial Times). The question is essentially whether the convenience of smart technology is worth the risk of cyber-attack that it exposes us to.

We live in a world where cyber-attacks are increasingly severe and wide-spread, while connected technology penetrates ever-deeper into the physical – and biological – environment. This means that while we put huge effort into protecting ourselves, we are opening ever more vulnerability. And we cannot simply assume that these vulnerabilities will be designed out over time.

This led Clare Foges to write in January that “blind opposition to progress is foolish. But opposition to blind progress is very sensible.”

Of course, it’s big business that’s driving the fast innovation and it’s impatient with anything that gets in the way of what it sees only as progress (and profit). Jeff Bezos (the founder of Amazon) talks about the need for all of us to be “always leaning into the future”.

It’s clever that this vision of the future merges with the stuff that tech companies want to sell; the implication is that to reject their products is to reject the future.

In my view, we all need to keep any eye on the balance between progress and what we can safely manage. The two may not always go hand in hand.

But to return to the direct question: “can we manage the security of the IoT – or should we be really frightened?”

Well, the obvious answer is that we have no choice – the IoT is here to stay. Its benefits are so overwhelming that we can’t just stop it in its tracks, and we must learn how to manage the risks.

In this context, I strongly support the comment: the IoT does not invalidate all our existing security risk management approaches. We must continue to focus on people, process and technology.

There are bound to be problems as we get our heads around the issues I listed earlier. But just because these problems are hard, it doesn’t mean that they’re impossible. There are many clever people are putting extraordinary effort into resolving these difficult fundamental issues.

We’ll get there – but nobody pretends that it’s going to be easy.

This article was originally published here and was reposted with permission.

Comments are closed.