You might argue that a humble Coke machine gave birth to the concept of the Internet of Things in 1982.
That machine, modified at Carnegie Mellon University to remotely report inventory levels and beverage temperatures, was probably viewed then as a helpful but not particularly revolutionary invention. But it spawned one of today’s hottest new trends in technology: the Internet of Things (IoT).
IoT has the potential to transform daily life. Tens of billions of devices have embedded electronic sensors, software, and network connectivity that enable them to collect and exchange data. Soon to be ubiquitous in factories and retail environments, in vehicles, homes, and offices, in municipalities and even on our bodies, the IoT offers unprecedented access to information, resulting in improved efficiency, accuracy, and economic benefits.
Kicking the Machine? Not Quite.
Ah, remember the analog world! If that soft-drink machine swallowed your money, the accepted technical protocol was a swift kick. Or whacking it with your hand in frustration. (Sometimes, it even worked!) A different age.
Machines equipped for the Internet of Things have a different problem. The proliferation of data unleashed by the advent of these networked machines creates security vulnerabilities.
Remember how smart-meters for electrical service were getting hacked by users who were wise to the devices’ lack of an internal security architecture? Customers in the know could snatch power without paying for it. They could learn online how to hack into the meters with electronic equipment they could easily buy at Radio Shack or on eBay, or they’d simply use large magnets to alter how the machines interpreted data flows—in particular in the evenings when there was no likelihood of machines being monitored.
It’s frustrating to learn about these types of workarounds—and the myriad ways people find to cheat. But the risk today is far more ominous.
On December 1, 2015, The New York Times reported on a security breach of Hong Kong-based educational toymaker VTech, whose tablet products aimed at children link to its online store, Learning Lodge. Notes Times reporter Daniel Victor, the hack of Learning Lodge put “the personal information of five million people, including children, at risk. … Hackers were able to retrieve adults’ profile information, including names, email addresses and passwords. They also obtained secret questions and answers for password retrieval, I.P. addresses, mailing addresses and download histories.”
Added Victor, “The compromised database also contained the names, gender and birth dates of children, which was a bigger concern to security researchers.” It’s scary stuff when children’s privacy is at stake.
So how can parents know when a so-called “smart” device is doing a dumb thing?
Making Smart Safe: An Imperative
Data leakage is the primary security concern for enterprises, and rightly so. Managing data risk is a challenge since IoT devices and their ecosystem have not evolved in line with today’s enterprise security concerns and systems. And hackers are doing much more than kicking the machine.
IoT devices are often designed by engineers who don’t have a security background since these devices have not historically been the targets of cyber attacks. They’re mass-produced and often similarly configured, so if a vulnerability is exposed, criminals can easily carry out large-scale attacks.
Devices also rely on basic authentication mechanisms and security protocols that are not recognized and protected by enterprise security tools, such as firewalls. And these devices are built to last a long time, even though new threats are constantly evolving. Despite their connectivity, updating IoT devices with security patches or upgrades is challenging, since they’re designed for efficiency and longevity and have minimal computing and storage capacity.
The risks get more complex. When embedded devices are mobile or deployed in the field, they may be connected to a network with none of the protections available in the user’s typical corporate environment. The IT department may not even be aware of all its organization’s connected devices, the so-called “shadow IoT” of unauthorized or unapproved devices deployed by employees in the workplace. Moreover, enterprise security systems are typically multi-layered and have multiple components. Often, they’re designed to accommodate PCs and servers that won’t even run on IoT devices. These too need to be adapted to embrace the IoT ecosystem, and there’s significant opportunity for doing so.
An engineering student looking for an ice-cold Coca-Cola in 1982 likely couldn’t fathom the potential of the nascent IoT. We’re heading towards an even more, hyper-connected world than we can imagine in 1982, and enterprise security must adapt. The integrity of our financial markets, food supply, traffic safety, physical health systems and even national defense is at stake. And security by design is far more effective than security as an afterthought.
There’s no shortage of ways to get started, and in succeeding posts, I’ll offer some. If you’d like to join the conversation, please connect with me here.