The Internet of Things – sometimes called the Internet of Everything – was over the horizon for a long time, but now it is finally coming into view as IP connectivity is extended to a large number and greater variety of devices. Networked home appliances (e.g., thermostats) and embedded sensors in settings like retail stores are just a few examples of what shape the IoE is taking. Tens of billions of devices may be added to it by the end of this decade.
The Internet of Everything: Examples of what could be at risk
However, for now the IoE still seems like a high risk/high reward proposition. That is, the reward of potentially automating many processes – say, using real-time data to optimize processes at manufacturing facilities or water treatment plants – comes with the considerable risk of having to secure many new devices and assuage concerns about the privacy of solutions like automated home systems.
“Recent high-profile media reports of hacks into smart baby monitors and connected cars, whether valid or not, have heightened consumer concerns over privacy and security for connected home systems,” stated Tom Kerber of Parks Associates. “Companies need to move quickly to reinforce the security of their solutions as well as ensure the consumer’s right to privacy.”
Numbers seem to back up this ambivalence. A report from Parks Associates found that almost half of Americans with broadband are concerned about what the IoE could mean for data privacy. Plus, as a recent Trend Micro blog post pointed out, the IoE has given legs to the previously theoretical notion of constant unwanted surveillance of an enterprise’s activities.
For example, imagine a closed-door meeting in a room with several connected devices – anything from a wearable to a sensor – were present. Company data could be at risk if the devices in question:
- Were not updated to the most recent software/firmware versions, or were unpatched
- Had audio and video capabilities that could be hijacked for surveillance of the meeting
- Had been compromised as part of a social engineering or phishing campaign
In a way, the dangers facing data, devices and people in the IoE are similar to those that have long existed with PCs, phones and other devices: namely malware, unauthorized access and surveillance. The difference is not in type but in scale. The IoE’s name is instructive here, since its constituent parts are bound to be everywhere and as such a broad challenge for enterprise security teams more accustomed to well-demarcated networks and relatively few devices.
Can the Internet of Everything still be secured?
The scope of the emerging IoE has invited questions about the feasibility of securing it all, similar to the topic of a recent webinar hosted by Ayla CTO Adrian Caceres (“Securing the Internet of Things: An Impossible Task?“). The depth of the security challenge has also led other commentators, like Mike Elgan, to argue that cyber security could prevent the IoE from ever actually materializing in any appreciable way.
More specifically, think about how difficult it is to address a bug like last year’s blockbuster Shellshock, which the National Institute of Standards and Technology gave a 10/10 rating in terms of severity, in the IoE. Many servers and PCs were vulnerable to the exploit – which had been open for more than 20 years – because they ran Linux- or Unix-based operating systems, but these weaknesses could be reliably fixed through prompt patching.
Many of the IoE’s devices were not and will not be patched. They may be too simple, already abandoned/outdated or not prioritized for receiving updates. Their sheer numbers also complicates any attempt at containing all or at least most instances of an exploit.
The complexity of ensuring network and mobile cyber security throughout the IoE is compounded by a lack of interoperability standards between IoE infrastructure. Whereas PCs and servers, despite some important differences from one model to the next, are broadly similar, IoE devices run the gamut from a sensor in a truck bed to a home smoke alarm. They may both use TCP/IP, but the similarities may not go much further.
It’s easy to take these challenges into account and think that the IoE could end up being limited in its actual benefits to enterprises, which could become beholden to a particular set of proprietary standards rather than broad interoperability. That was Elgan’s outlook, and it’s worth keeping in mind as a possible outcome if cyber security isn’t re-conceived for the IoE.
The newness of the IoE – it’s hardly well established at this point – is still an opportunity to get security right. Enterprises should use a combination of security software, training and BYOD and access policies to create a foundation for solid communication and awareness of relevant threats.