Get all the news you need about Smart Buildings with the Memoori newsletter
There seems little doubt about it anymore; the Internet of Things (IoT) age is upon us. Predictions for IoT growth and adoption, from the world’s biggest economic analysis agencies, range from huge to incredibly huge. Yet we are still to agree on a suitable formula to make the IoT secure from cyber attack, and if this issue is not resolved soon, it could be too late to avoid catastrophe.
Bain calculates that by 2020 annual revenues could exceed $470B for the IoT vendors selling the hardware, software and comprehensive solutions. General Electric estimates investment in the Industrial Internet of Things (IIoT) will top $60 trillion during the next 15 years. IHS forecasts that the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025.
“As vendors scramble for their share of the market, they cut corners or completely ignore cyber security, exposing the rest of us to identity theft, internet downtime and privacy breaches. Some military cyber security experts believe that IoT botnets could be used as weapons, even triggering a distributed denial-of-service (DDoS) arms race,” says George Corser, Assistant Professor of Computer Science and Information Systems, Saginaw Valley State University.
The competitive nature of the IoT market might be driving growth but makes the cyber security situation much worse. With price sensitivity so tight, cyber security considerations are often being neglected. The un-cyber-security-educated consumer is trying to justify return on investment from IoT devices with complex return characteristics, they are therefore focused on getting the lowest price to functionality ratio. This leads vendors to neglect security while striving for profit and market share.
“To add IoT to, say, utility meters, vending machines and smart-building sensors, the hardware must be as inexpensive as possible. That’s typically achieved by putting just enough memory and processing power into the IoT module for it to perform its tasks, with little or no resources left to support traditional cyber security tools such as anti-malware software,” explains Corser.
It is situations like this that have and will create some of the biggest and most dangerous cyber attacks in history, and these attacks not only affect the consumers and vendors at fault, they can affect anyone or everyone. In October 2016, hijacked IoT devices were used to bombard the DNS service Dyn with requests that ultimately brought the service down, along with its clients, Twitter, Spotify, and Reddit among others.
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” tweeted Jeff Jarmoc, head of security for global business service Salesforce, referring to seemingly insignificant connected devices bringing down the internet.
In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.
— Jeff Jarmoc ?? (@jjarmoc) October 22, 2016
With up-to-date security patches we can be much safer, but again, this is being neglected. Firstly we can’t depend on the un-cyber-security-educated consumer to upgrade their firmware; these are building or car owners who never had to think about cyber security for this kind of physical asset.
Secondly, the vendors are new to this too. “The people who bring connected children’s toy to market are the same people who bring normal children’s toys to market. They are not taking the dangers of connectivity into account, in fact they don’t even know what questions to ask,” Kaspersky’s David Emm told Memoori in an interview in June.
Thirdly, the low-cost requirement of the IoT means slim profit margins, hence little financial incentive for vendors to continue developing patches years after they sold the device. “Cars and utility meters are two examples of products that typically remain in use for at least a decade. How many of their IoT modules will be orphaned as their vendors stop supporting them, go out of business or are acquired?” asks Corser.
Take humans out of the equation, in fully automated systems that include automatic updates and you remove a layer of defence, as a human at the wheel could notice when things aren’t as they should be. While ensuring a human layer opens us up to human error or unexpected attack vectors. The fact that PINs and passwords can be derived from the minute hand movements of someone wearing a fitness tracker wristband while typing, demonstrates the scale of the cyber security problem.
“IoT requires a different approach to security. That’s why the IEEE Internet Initiative recently published a white paper with a set of best practices that anyone can use to improve the security of IoT applications. Available as a free download from the IEEE Internet Initiative, these best practices are applicable to any IoT application, regardless of the industry or whether it’s autonomous. IEEE will host a related webinar, “IoT Security Best Practices,” on Sept. 27, with a recording available soon after.”