By Robert Westervelt
Privacy and safety concerns associated with the billions of connected devices known as the Internet of Things could prompt some innovative approaches to data protection, attack prevention and antifraud measures.
But as state and federal regulators in the U.S. mull over whether restrictions are required it is becoming increasingly clear that security solutions may be applied differently to address certain industry vertical complexities.
Security researchers have demonstrated the ability to exploit weaknesses associated with automobile systems and remotely gain complete control of an automobile. Similar research has identified software coding errors in other critical embedded systems that control traffic signal timing and operations, building ventilation, lighting, and power systems, and insulin pumps, pacemakers and other healthcare devices.
Software weaknesses are everywhere and will grow significantly as tiny, embedded systems that control sensors and collect data become ubiquitous. IDC projects that there will be 30 billion of these “Internet of Things” by 2020.
The IoT discussion can be applied to a myriad of use cases. Some recent examples include an Internet-enabled toaster oven or Google’s Nest thermostat that a homeowner can control and monitor using a smartphone app.
But these tiny embedded systems are also used to monitor and control the temperature of curling irons or the internal computers in cash registers and vending machines. Militaries use them to control munitions, missile systems and drones.
The risk of attack is everywhere and it is right to have a discussion about the security risks associated with some use cases where public safety is at risk.
I share the concern that the U.S. election cycle could fuel fear mongering from presidential candidates advocating the need to take dire actions to address a catastrophic scenario caused by a cyberattack against these so-called “smart” devices.
The fact of the matter is that a cyberattack could bring down the electric grid, the stock market or air traffic control systems. But as recent history has demonstrated there is a greater chance that a software glitch or human error can contribute to an outage. Consider the Northeast blackout of 2003 that impacted more than 50 million people in the U.S. and Canada.
Overgrown trees are said to have hit transmission lines to cause a power surge. But it was a software vulnerability that failed to trigger an alarm so human operators could quickly isolate the problem.
As embedded systems make their way into everyday items, the discussion about security, privacy and broader public safety issues will have to be addressed by each use case. Building in security so that it is part of the foundation of IoT device firmware and other fundamental secure software development methodologies, combined with data security best practices are an essential part of mitigating IoT security risks, but innovative approaches may need to be developed for certain industry-specific complexities.
Manufactures need to measure the risks posed by their IoT devices to gauge the impact to public safety and consumer privacy. Risk mitigation measures may require secure software development best practices and standard embedded system security approaches. Emerging next-generation anti-malware defenses may be evaluated for effectiveness on a small scale.
Data collection and retention requires security controls on the back-end where standard security solutions can be applied to support business intelligence initiatives.
Robert Westervelt is a Research Manager within IDC’s Security Products group. He provides insight and thought leadership in the areas of cloud security, mobile security, and security related to the Internet of Things (IoT). Rob is also responsible for research and analysis around a wide range of evolving security markets, including endpoint security, security and vulnerability management (SVM), and identity and access management (IAM).
Prior to joining IDC, Rob was senior editor at The Channel Company where he led the information security news coverage, reporting on threats, vulnerabilities and technology trends impacting the security market for CRN. He also served as news director for TechTarget’s information security publications, where he coordinated coverage of security topics and industry conferences. Additionally, he managed the news coverage and direction of Information Security magazine, where he produced podcasts, videos and other multimedia to support engaging technology packages for chief information security officers and other IT security professionals.
Rob holds a degree in journalism from the University of Connecticut, and also served in the U.S. Air Force.
You can also check out Malwarebytes CEO Marcin Kleczynski interview Rob Westervelt below: