The information and knowledge generated by the millions of devices on the Internet of Things are creating a kind of data exhaust that could give rise to security challenges, a panel told attendees Tuesday during an SC Congress New York keynote address.
“What data are the sensors around you collecting and where are they stored?” asked Marcus Sachs, chief security officer (CSO) at North American Electric Reliability Corp. “What inform does [a device] have about you and itself?”
Panelist Becky Bace, chief strategist, University of South Alabama, said the rise of data exhaust was analogous to the exhaust generated by hotrod lovers who she grew up with in the Deep South. “They could do anything with a car engine,” soup it up to roar and speed, she said, but she “never heard them mention anything about ramifications [of those modifications] on car exhaust.”
Despite trailing behind the blaze of devices and apps sweeping across the planet, the industry still has time to secure the IoT. “I don't think its too late yet,” Nick Belov, vice president of information security at Bank of Tokyo-Mitsubishi UFJ, told the crowd. “But if we lose traction now” security could remain elusive.
The panelists noted that the industry is moving toward standards or a framework for IoT, but warned against locking things down until everyone is doing everything the same way.
“If you try to standardize too much you create a fragile system…it will shatter like a crystal,” said Sachs. “You build resilience in by having people doing things slightly different.” That's an argument for developing a framework more than standards, he said.
While lawmakers have come under heat for dragging its feet on cyber legislation, Bace noted that it might be beneficial that it takes a long time for legislation to wend its way through congress. “We should be grateful” that bills are mulled before they pass,” she said, adding that it is difficult to undo a law after it's passed. “Standards same thing. You want to shake them out and shake them out thoroughly.”
The experts also contended that IoT will become more secure as a result of a natural selection of sorts.
“The backlash is really important; it's not impeding progress,” said Belov. “We'll weed out devices we really don't like. Natural selection.”
Sachs said he expects that ultimately “companies will recognize they're producing something insecure like producing something that's unsafe” and they'll make security a primary focus to avoid tarnishing their reputations and being liable for resulting breaches.