Some 96 percent of information technology professionals anticipate that security attacks involving the internet-connected devices in our lives will rise this year, a survey from TripWire in Portland, Ore., states. More than half of the professionals surveyed say they are not prepared for cyberattacks involving what is known as the internet of things.
There are some 6 billion to 8 billion computing devices of various sorts—from baby dolls and thermostats to wireless infusion pumps and public utilities systems—connected to the internet. This would-be network of devices, the IoT, offers countless means of convenience and utility for users, but also presents broad opportunities for hackers with nefarious ends in mind.
The problem becomes clearer as companies bring their wares to market with no security whatsoever, said Tom Patterson, vice president and general manager of Unisys Global Security.
“Everyone has to take security seriously,” he said.
Unisys is helping big corporations segment off their IT and employ advanced security products and strategies, Patterson said. He is seeing more items—such as auto components like the controller area network bus that allow devices in cars to communicate—being designed with security in mind. Still, not everyone is working together to build greater security into products overall, and Patterson said he would like to see more cooperation.
Firms like GrammaTech Inc. in Ithaca, Tompkins County, conduct extensive research into software assurance and cybersecurity for governmental agencies such as the Army, Navy, Defense Advanced Research Projects Agency and Department of Homeland Security, as well as critical infrastructure, power grids and water supply operations.
GrammaTech develops tools for software developers to prevent or minimize the impact of hacks, said Mark Hermeling, senior director of sales and marketing.
“We see great interest in these capabilities,” Hermeling said.
Building secure products for the IoT, particularly items that are highly price-sensitive such as webcams or doorbells, is a challenge. It is likely to take more resources to develop a more secure, complex device, and that “costs money, and people don’t like that,” Hermeling said. Adding extra levels of security to connected devices can also result in reduced functionality or ease of use.
Paul Robinson, cybersecurity solutions adviser for GreyCastle Security LLC, sees IoT as a positive development.
“I think we doom and gloom around security around the internet of things too much and we don’t give credence to the fact that these are technologies and goods and services that can make our lives a lot easier…with that being said there has to be security and safety that’s built inside of it,” he said.
Another issue is that tech moves fast.
Every piece of technology brought into a business should be thought of in a security mindset, Robinson said.
“The real concern that I see is that we’re producing these technologies and products and services so fast and not giving any credence to security that it’s leaving a lot of different vulnerabilities out there,” he said. “(Companies have to) make sure that when you introduce these technologies that there’s some understanding of the security on the technology that you are implementing.”
“What you consider to be safe today many no longer be safe tomorrow,” Hermeling said.
Still, outcry from the public to mitigate cybersecurity risks from IoT is likely to keep growing as the public becomes aware of their vulnerabilities.
No one-size fits all
In general, larger, well-established corporations and industrial concerns are better prepared and have more resources to tackle issues of cybersecurity related to the products they sell or use. Hard-charging startups seeking to be first to market tend to take fewer precautions, said Katerina Megas, program manager for IoT cybersecurity at the National Institute of Standards and Technology.
Devices themselves may prove to be more or less vulnerable depending on the context in which they’re used. Some devices may only be connected intermittently to the internet, for example, and it is precisely this broad spectrum of players and products that likely will hamper efforts to find a one-size-fits-all security solution to IoT, Megas said.
“We’re going to have to figure out how to accommodate different drivers and barriers, and they may not be the same,” she said.
Physical security and virtual security are not on the same level of intensity, Robinson said. There is a need for companies to view their virtual security in as serious a way as they would the firm’s physical property and the safety the company’s employees.
“There’s some really dark seedy portions of the internet that you should not be on because they’re just full of humans and technology that are looking to destroy your life,” he said. “It’s just one of those things where we have to start using the same precautions in the virtual world that we do in the physical.
“These are the things we won’t do in the human world yet we’re so quick to do it in the virtual world (with) password sharing and sharing bank information and going to these websites that are so dangerous.”
The national institute’s research into cybersecurity in the cloud, the fog (networking that supports IoT) and multiple-instruction, single-data systems also applies to IoT, as does its efforts with lightweight cryptography. The institute constantly seeks the input of industry and organizational partners to discover the latest best practices and offers a voluntary cybersecurity framework for businesses and other entities to deal with the issue. In mid-May, it convened a working group to discuss IoT.
But work in this area is still in the early stages, as is a comprehensive approach to the issue, Megas said.
In the near term, prices for connected devices or other products that contain them will have to increase, at least a little, to add extra security features as industry awareness rises, Gramma-Tech’s Hermeling predicted. And demand should also continue grow.
“The move forward is inevitable, because people want more convenience,” he said.
Today IoT technology is a major draw for companies.
“There is some cost value to it but I just also think that people are just enthralled by technology,” GreyCastle’s Robinson said. “I think they love the fact that they can go on their phone and hit a couple of buttons on their application and change the thermostat, or they have these devices that can talk back to the mothership.”
The problem is thinking of security for things that never needed security before like light bulbs or thermostats, he said.
“People that have laptops, and even desktops at this point, when they shut down for the day—and Windows says they have an update to do—they just bypass it. That device is vulnerable,” he said. “So if we can’t provide proper security hygiene to our everyday computer that has customer information, how are we going to expect people to do the same with a light bulb or a vending machine or your home security system?”
Hermeling said one possibility for better security of IoT could involve a monitoring capability for software or hardware that would provide notice of breaches or unusual activity.
But firms that fail to consider security for their products in the beginning could end up paying a large reputational price if they are victim to a malicious hack and become the object of the latest viral news story, Unisys’ Patterson said.
“The benefits far outweigh the increased costs,” he said. “Retrofitting it is expensive.”
Patterson sees encryption as one of the easiest and most affordable security tools when you go to the cloud. Breakthrough technologies, such as blockchain, vastly will increase the efficiency of connected devices in cars and other devices, because it also allows for peer-to-peer IoT security. Regardless of the method, some companies will distinguish their wares from competitors by making their security efforts a key part of their brand for consumers who will “vote with their pocketbooks,” he said.
(c) 2017 Rochester Business Journal. To obtain permission to reprint this article, call 585-363-7269 or email firstname.lastname@example.org.