Feature Story

Securing the Internet of Things

by Laurence Cruz

A look at what the Internet of Things is making possible, and the security concerns that have some experts on guard.

First, the good news: The Internet of Things is here, and with it vast quantities of convenience, pleasure and benefits. And the bad news? The Internet of Things is here, and with it a variety of security concerns.

Apparently, both types of news are true. On the upside, things like pervasive sensor networks promise a brave new world of helpful applications, from smart lighting and heating systems in buildings; to self-powered street lights that will talk to each other, raise lighting levels when needed and monitor traffic flows; to vests embedded with micro-sensors that will monitor heart rates and other vital signs. Adding even more value and relevance to networked connections is the Internet of Everything—the next phase of the Internet of Things—which will bring together people and process as well as things.

But it’s the negative stuff that keeps renowned security technologist and author Bruce Schneier awake at night. For example, he says, there’s always a danger that sensor networks can fall into the wrong hands—a danger that’s magnified when the network directly manages the physical world through machine-to-machine (M2M) communication.

“Certainly any time you have something autonomous or semi-autonomous, you should worry about who controls it,” says Schneier, whose latest book, Liars and Outliers, focuses on the trust he says societies need to thrive. “We have to assume that companies will adhere to any rules.”

But even if everyone plays by the rules—whatever those are—Schneier says securing these networks is inherently difficult. “What are the odds that any of these sensors will be secure?” he asks. “There has not been a piece of software written by human beings that is perfectly secure. We patch everything. Why will this be any different? And the more the software interfaces with our actual lives, the more physical danger there is.”

Not All Data Are Created Equal

For James Brehm, a senior strategist with San Antonio, Texas-based Compass Intelligence, a decision analytics research and consulting firm, security concerns over the Internet of Things depend not on the quantity of data traversing networks or the number of connected endpoints, but on the value of the data.

“Absolutely, there are going to be unprecedented security challenges,” Brehm says. “But most of the threats aren’t going to be mission-critical.”

For example, hacking a few sensors buried along the U.S.-Mexican border designed to alert authorities to the presence of illegal immigrants is one thing; but hacking a sensor connected to a cooler carrying a heart or kidney to a transplant patient is quite another.

“It’s very important that organizations take a look at what matters and what doesn’t matter regarding what’s secure and what’s not secure,” Brehm says. “There are going to be mountains of pedestrian stuff that isn’t going to matter very much either way.”

A Farewell to Privacy?

That said, even mountains of innocuous-seeming data can trigger cause for concern if aggregated and analyzed in certain ways, Brehm says. “Somewhere down the road that data is going to get contextual and I’m going to care about it,” he says. “Is there potential for misuse or is it pretty harmless?”

Of course, data analytics is nothing new, enabling organizations today to glean unprecedented insights into people’s shopping habits, lifestyles, political persuasions and more. But imagine how this ability will be magnified a decade from now, when cities will be swathed in dense fabrics of sensors and “actuators”—things, such as switches, that cause a physical change in an environment—embedded in nearly everything we see, touch and feel. By one estimate, the M2M market will expand to 24 billion smart sensors and connected devices by 2020, and will be worth US$1.2 trillion.

For Schneier, the privacy implications of this are troubling. Interestingly, it’s the legitimate users of these networks that worry him more than the criminal element.

“When you have the Internet embedded in things, that’s effectively more sensors that connect the Internet with the real world, and there’s a lot of very personal information that will be collected from that,” he says.

Black Swan Events, Standards and Regulation

Of course, with so many unknowns, there is always the possibility that useful Internet of Things solutions could blend to cause or accelerate catastrophic failures that are unexpected but obvious in hindsight. These so-called black swan events might include the power grid going down, for example. But both Schneier and Brehm say there’s little point in speculating about such random, unknowable events when there’s so much in the knowable future to think about.

Brehm says securing critical infrastructure like the power grid will require a balance of openness and built-in redundancy and fail-over mechanisms—much as it requires today. Standards, too, will play a role, he says.

“But we’re not going to ever come to one common standard for the Internet of Things,” Brehm says, adding he expects a small handful of standards will emerge over several years based on best practices. Neither does he believe the security challenges of the Internet of Things can be legislated away. “Regulation tends to make things take longer, cost more and be less innovative than letting people try to figure things out,” he says.

Some have suggested there may be a role for the private sector to step in and regulate the Internet of Things, as it did in the area of payment card industry (PCI) compliance. But Schneier, for one, is convinced that won’t happen.

“The only reason PCI works is that there’s a financial incentive to do it against fraud,” he says, adding that’s not the case with the Internet of Things. “It is rare that you get the incentives to align properly for self-regulation.”

For Brehm, the best-case scenario is that we will reach agreement on open standards that support an all-IP (Internet Protocol) network that will be access agnostic (wireless, wireline, cellular, Wi-Fi, ZigBee, Z-wave, Bluetooth, etc.) and will consist of private clouds, public clouds, hybrid clouds, private networks and so on.

“And the worst case is that we will worry too much and do too little,” Brehm says.


The contents or opinions in this feature are independent and may not necessarily represent the views of Cisco. They are offered in an effort to encourage continuing conversations on a broad range of innovative technology subjects. We welcome your comments and engagement.

We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.