The market, not government regulation, will push IoT security to a higher standard, says John Ellis of Ellis & Associates.
Information security professionals still reeling from the latest megabreaches could soon face even bigger problems as demand drives the Internet of Things (IoT) global long before the inevitable competitive shakeout can drive insecure devices from the market.
That's the view of several veteran cybersecurity specialists and attorneys with whom we spoke. The consensus is that in the anything-goes IoT environment, diligent security efforts by major industrial enterprises are undercut by low-cost manufacturers and old-school factory bosses who lack the IT experience to ensure that their internet-connected devices meet even rudimentary cybesecurity requirements.
Eventually, the market, not government regulation, will push IoT security to a higher level, says John Ellis, managing director of Chicago-based Ellis & Associates, a technology firm focusing on IoT in the automotive and other industries.
“We don't have the necessary frameworks in place to allow us to determine our destiny,” says Ellis. As IoT devices generate vast amounts of information, users may assume that IoT data is forgotten when, in fact, it is being funneled into data analytics operations run by vendors or third parties, he adds.
The need to secure internet-connected non-IT devices is not a new issue, of course. Since the 1990s, the U.S. government and private industries – such as defense and energy – have worked to secure critical infrastructure, an effort that gained a new urgency following the Sept. 11, 2001 terrorist attacks. This older internet of – very big and important – things remains a major focus for the Department of Homeland Security, as well as the U.S. Armed Forces and intelligence agencies.
Steve Brumer, partner, 151 Advisors
Marcus Christian, partner, Mayer Brown
John Ellis, managing director, Ellis & Associates
Juanita Koilpillai, CEO, Waverley Labs
Isaac Porche, engineer, RAND Corp.
Thomas Smedinghoff, attorney, Locke Lorde
Of course, the cybersecurity resources and methods allocated to defend the Los Alamos National Laboratory aren't easily mapped onto a camera-equipped refrigerator that tracks your food and uses your home router to ping you with a shopping list. On the contrary, countless IoT devices are rolling out of factories with little more than a chip and a Wi-Fi card that can easily compromise privacy and physical security in the home.
Thus, in 2014, a survey by HP found that 70 percent of IoT devices were unsecure. “ A couple of security concerns on a single device, such as a mobile phone, can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business,” the report concludes. Another study, by IDC, predicted that by the end of 2016, some 90 percent of IoT devices will have suffered a breach, even if they are considered “inconveniences.”
The lack of IoT security was one of the reasons an anonymous computer engineer in Europe launched a popular Twitter account, dubbed IoS – with the “s” standing for an earthy expletive.
What's more, the wave of IoT data generated by everything from home motion sensors to industrial-scale HVAC equipment poses other concerns over privacy – not just protection from hackers, but businesses that are amassing and mining that data to gain a competitive edge.
“There is a big problem with data analytics,” says Steve Brumer (right), an Atlanta-based partner at the consulting group 151 Advisors. “Do I own the data from my car or my Nest [home environmental control] unit?” What's more, smart TVs, from companies like Samsung and LG, route all internet traffic through their domains. “Does that mean they can see everything?”
Whether or not TV makers are using the IoT to play Big Brother, there are plenty of Big Data efforts underway to harvest IoT output and make it profitable. For one, MongoDB, the developer of the popular open source NoSQL database, is positioning itself as a platform for IoT development for those who seek to turn IoT data into a marketing tool.
But a loss of privacy – now commonplace in megabreaches – is only one kind of potential harm from the IoT, says Thomas Smedinghoff an attorney with the Chicago-based law firm Locke Lorde. “The other kind is property damage or personal injury, as when someone hacks into my thermostat,” says Smedinghoff. “My pipes freeze and I have major damage. Or, you hack into my car and cause an accident.”
The law has tended to come down more severely in cases of personal injury, adds Smedinghoff, who spoke on IoT issues at an American Bar Association meeting in March.
“But with IoT, we are at the very beginning of that whole process,” Smedinghoff says. “There is, at one level, the reasonableness standard. If I am selling you an IoT device, what is that device designed to do, and what did I do relative to the risk? What kind of risks does the device raise?”
An IoT device that controls operation of a car is potentially much more serious than an IoT device that maybe turns on a light, he says. “As the risk of harm goes up, you would expect a greater degree of effort. But we have not yet seen that in any case.”
While IoT security breaches pile up and case law slowly takes shape, market forces will likely be the dominant driver of IoT security development, predicts Marcus Christian, a Washington, D.C.-based partner at the Mayer Brown law firm, a member of the firm's Cybersecurity & Data Privacy practice, and a former federal prosecutor.
“As information about cybersecurity threats, vulnerabilities and defensive measures becomes more readily available, market competition will be one of the forces that drives companies' investments in product security,” Christian (left) says. “Regulatory, litigation and other concerns also will continue to influence vendors' decisions.”
For now, IoT cybersecurity challenges mount almost daily. Recent research by Accenture found that the IoT market is constrained by consumer fears about the impact on security, with some 47 percent of respondents citing such concerns.
Nevertheless, the consulting company McKinsey expects that by 2020, some 20 to 30 billion IoT devices will be online. But, for many consumers, that future is now: From smart home environment controls, such as Nest, to the camera-enabled drones for kids, people who are already struggling with establishing basic internet router firewalls must now figure out whether and how to secure multiple devices.
Users may not like that extra burden of IoT security, but it's in their best interests to step up to that challenge, says Juanita Koilpillai, CEO of Virginia-based Waverly Labs, which is developing a software-defined perimeter for clients in the federal government.
IoT security, Koilpillai says, is going to be user- and consumer-driven. “Today, the way IT companies make money is selling you bandwidth,” she notes. “The more connections made to your server, the more they get paid. To cut down on bandwidth, you have secured end-to-end connections secured.”
Some big corporate players are trying to settle the IoT security chaos by imposing their own – proprietary – order. Google, with its Brillo development program, is taking aim at Apple's HomeKit and Amazon's AWS IoT. IBM is angling for the industrial market with its Watson IoT platform. Old-line manufacturers, like Bosch and Ericsson, have their own, business-oriented offerings as well. Lowe's, the home supply chain, has sought to rally its suppliers to support the Iris smart home platform for IoT. There are, of course, many smaller players, involved, as well.
The presence of manufacturing and software titans in the IoT space may offer consumers assurance that some of the world's biggest companies are bringing cybersecurity heft to the IoT world. But the security picture will remain complex for some time to come given that makers of IoT products and consumers alike will be forced to choose between rival development platforms and device ecosystems. And there are already countless Wi-Fi-enabled products that are now, or soon will be, on the market before the new platforms impact development.
That puts a big burden on IoT vendors to police themselves, says Brumer of 151 Advisors. “Traditionally, our industry has been good at doing self-regulation, like that CTIA [a wireless association] does in the mobile space, and by going after IEEE [Institute of Electrical and Electronics Engineers] standards,” he says. “
For now, third parties could also step in to provide an independent assessment of cybersecurity capabilities of IoT devices. For one, UL (formerly known as Underwriters Laboratories), works with its customers to validate cybersecurity for IoT products.
But just who exactly is building cybersecurity capabilities that can cope with an IoT world? The IT security labor shortage already hamstrings efforts by big corporations and government entities, and the rapid proliferation of IoT will further strain resources as the growing risk puts pressure not only on consumers, but business and government too.
Another complicating factor in cybersecurity generally and in IoT security in particular is the push toward faster software development methods, such as DevOps, which put a premium on speed at the expense of security architecture, says Koilpillai. “You need to build in that kind of security from the start,” she says.
But the biggest problem with developing IoT security isn't a lack of qualified personnel, but the inherent challenges of integrating the physical world and cyberspace, according to Isaac Porche, a Pittsburgh-based senior engineer at the RAND Corporation.
“Even if [IoT] cybersecurity is considered and required, it is not certain that we as a community can anticipate the vulnerabilities that will inevitably be discovered and exploited,” he says. “It is not clear that all IoT devices (cars included) will be connected in such a way that regular patches and updates can be applied, the way our browsers/laptops/OSs are updated.”
There is a whole science to cybersecurity of cyber-physical systems that is just not mature, he adds.
Further, DIY software and low-cost cloud development platforms will keep luring manufacturers into IoT, potentially even compromising the ecosystems created by the dominant players, says Ellis.
“The problem is that anybody can build software now,” he says. “That has opened the IoT world to a lot of people without formal training and to companies without proper oversight.”
Device manufacturers don't realize that when they ship IoT products, they've suddenly become software companies and can no longer “ship and forget” their output, he says. “The minute you put sensors on your product, you are a software company.”
But it would be a fallacy to suggest that more resources will automatically lead to sufficient IoT cybersecurity, Ellis says. Target, he points out, is a multi-billion dollar organization with the means to train and purchase the best of the best, but that failed to prevent its megabreach of 2013. “But still, behaviorally they got it wrong. So how do we expect the moms and pops get it right?”
Eventually, cloud computing platforms could provide the means to build secure IoT environments, replacing the simple, open Wi-Fi connections used in many devices. But the journey is unlikely to be smooth, says Brumer. “Eventually we are going to have to have some kind of IoT standards that relate to security, just like what happened with Wi-Fi,” he says. “We are going to have to have an extended period of self-regulation – until something catastrophic happens and the world knows about it.”