IoT Security: Fundamentally Flawed?

Rules for corporate survival:

  1. Assume good intentions when collaborating with colleagues in order to promote a healthy work environment.
  2. Assume inherent security flaws when dealing with anything connected to a network in order to ensure a secure work environment.

Article by Debra Donston-Miller in Forbes.
Emphasis in red added by me.
Brian Wood, VP Marketing

The Internet Of Things Poses New Security Challenges

If you thought bugs, viruses and phishing schemes were tough on security, you ain’t seen nothin’ yet. Your business will soon be faced with a new, even more formidable foe: The Internet of Things.
When it comes to security, businesses have had to make some significant shifts with the advent of new technologies and computing paradigms. Twenty years ago, security was like an M&M or Tootsie Pop–it was all about securing enterprise networks and endpoints (the soft center) behind the network perimeter (the hard shell). In the last 10 years, laptops and mobile phones have slowly chipped away at that protection. Most recently, personally owned devices used for business have posed problems that were once unthinkable. Enterprise IT managers have risen to each and every one of these challenges, developing policy and applying technology to help mitigate risks as they arise.
But the newest hurdle may be the toughest one of all to clear. Forget about networked printers and iPhones. What do you do when the coffee maker and refrigerator in the break room come equipped with hidden spambots and wifi access? Researchers have already hacked a building control system at Google’s Australia office. Does that make you think twice about installing a Nest thermostat on your premises? What happens when workers’ watches and glasses—even their suit coats and dress shoes–are connected to the Net? That’s the Internet of Things— the “network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment,” according to Gartner–and it is expected to be the greatest challenge facing organizations during the next decade.
“Now, it is still early when it comes to the Internet of Things, but it is clear that change is afoot,” said Edith Ramirez, chairwoman of the Federal Trade Commission, at the FTC’s November Internet of Things workshop. “Five years ago, for the first time, more things than people connected to the Internet.”
Ramirez said it is estimated that 25 billion things will be hooked up to the Internet by 2015. In 2020, that number will double.
The risks of IoT at work
There are many potential benefits to the Internet of Things. Automated inventory and climate control are two of the oft-mentioned advantages.
But there are also many potential risks, for individuals and consumers alike. According to the InfoSec Institute, privacy implications include unlawful surveillance, active intrusion in private life and data profiling.
For businesses, one of the biggest concerns is data compromise.
“In particular, expect [the Internet of Things] to challenge your conception of cyber security and your ability to deliver it in IoT-enabled digital networks, your commercial operations, and your partner ecosystems,” states a Harvard Business Review blog post written by Christopher J. Rezendes, president of INEX Advisors, a consultancy focused on the Internet of Things, and David Stephenson, author of SmartStuff: An Introduction to the Internet of Things. “Paradoxically, the very principle that makes the IoT so powerful — the potential to share data instantly with everyone and everything (every authorized entity, that is) — creates a huge cyber security threat.”
The challenges are big, but surmountable — only if IT and business managers start working together now to develop a plan. In another Harvard Business Review blog post, Chris Clearfield, a principal at consulting firm SystemLogic, noted that it will all have to start with the manufacturers of devices: They will have to place a new priority on security, said Clearfield, including:
1. Applying existing systems engineering tools to security threats.
2. Training engineers to incorporate security into products by using modular hardware and software designs
3. Using existing, open security standards where possible.
4. Encouraging a skeptical culture.
Companies should encourage a skeptical culture in which intellectually diverse groups from different product teams review one another’s designs and give feedback about flaws, including those that affect security,” he said. “One particularly useful approach is to designate internal specialists or external experts as devil’s advocates and make it their job to independently review, test, and try to break existing systems.”
Healthy skepticism will conquer IoT
That level of skepticism–or suspicion–should be applied at organizations from all industries, not just the makers of the “things” in the Internet of Things.
Indeed, Clearfield said companies must start paying closer attention to the different ways devices could be leveraged as a mode of attack.
While manufacturers must work to incorporate security into their devices from the ground up, organizations should not blindly assume that Internet-enabled devices are safe. It will be important for companies not only to be aware of any Internet-connected devices in the organization–from Google Glass to the new thermostat–but also to examine how these devices work and interact with each other, especially in terms of data transport.
Companies will also need to think about their own investments in IoT, including ownership and control of data.
As a business investing in the IoT you’ll need to establish new standards of construct (that is, the technologies to secure the IoT) and new standards of conduct (the policies to secure the IoT),” said Rezendes and Stephenson in their Harvard Business Review blog.
The Internet of Things is a work on progress–one that companies must be out in front of in order to both benefit and stay protected from the technology.