Blog Date: 11/21/2016
Author: Ray Coulombe

While attending SIA’s October Securing New Ground Conference, I was asked to moderate a session on the Internet of Things. Not quite sure what that means? Well, do you have a pacemaker? How about a DVR? The Internet of Things (IoT) refers to the billions of connected devices in our world—some say up to 200 billion devices will be connected by 2020.

But what does this mean for our future? First, some new startups don’t think information stored on devices is as sensitive as information stored on standard computers, so security isn’t applied in the same ways. Also, investors don’t seem to care too much about security, as they’re more interested in the functionality of the product. This type of misguided thinking is what leads to major hacks and data breaches, because yes, all connected devices represent some sort of security vulnerability.

For starters, get used to hearing the term “DDoS” or a Distributed Denial of Service attack. This means that infected devices will be recruited as part of botnets that will shut down websites by receiving huge amounts of traffic. Any connected device is susceptible to this kind of attack.

While some efforts to address the security issues of these new devices are being initiated—like a labeling system for IoT devices that are approved and secure—millions (or billions) of devices will be deployed in an unsecure state.

So, do we ignore the potential opportunities and benefits that the IoT provides? It’s almost a moot point, as the train has already left the station.

Instead, security leaders should recognize the full potential threat environment faced by their customers by surveying the array of connected devices. Procedures for determining whether these devices should even be connected represent an important piece to protection, since the most innocuous IoT devices (e.g., a refrigerator) may pose the biggest risks. Secure security passwords should be mandated, even inherent, for all devices. And organizations should be sensitized to the threat and should commit to incorporating proper device deployment and configuration into their standard security operating procedures.

For those who develop and market connected devices, Rodney Thayer of Smithee, Spelvin, Agnew & Plinge offers, "Without sound engineering, the Internet of Things becomes the Internet of Trouble. It's not necessarily that we need new ideas, but we must address the gaps in practicing the engineering and deployment techniques we already know work. Vendors are cutting corners on software and protocol engineering, and at IoT-scale this can have disastrous results."

Back to Blog List