The Internet of Things brings far-reaching security threats

Bringing new devices online at home and in the enterprise raises a host of security concerns that will require a more hands-on rethinking.

Security pros routinely cite poor cyber hygiene as one of their top concerns. But if they're lying awake at night worried about lazy passwords and software updates going ignored, just think of the headaches that will come once thermostats, pacemakers and just about everything else comes online.

When Randy Garrett contemplates the Internet of Things, he sees a colossal security challenge.

Garrett, a program manager at the Defense Advanced Research Projects Agency (DARPA), worries that, in the exuberance to embed sensors in a galaxy of devices and bring them onto the network, backers of the Internet of Things will unwittingly create a virtually limitless set of new threat vectors.

[ Analyses: The Internet of Things Is an Exploding Security Minefield That's Likely to Drive Security Upheaval ]

"This is where I think, frankly, we're already in trouble," Garrett said Wednesday at a conference on the Internet of Things. "You might not want to expose those to the big Internet."

He points to an array of security concerns that could arise in a thoroughly networked world. Chief among them is that as uneven or just plain bad as the habits of PC users may be  many people are at least aware that the threats are out there and will often exercise some restraint in not clicking on spam links or avoid setting their password to "password."

Will Ability to Gather Data Trump Security Concerns?

Put another way, people recognize that there are malicious actors out there working to infiltrate their computers and swipe their personal information. But who thinks about their toaster in those terms?

It's not an idle concern. Recall the massive data breach Target sustained last year, exposing millions of the retailer's customers' information, forcing the Target CIO to step down and causing untold damage to the company brand.

The reported culprit? An entry point to the company's most sensitive data assets gained from a contractor who worked on Target's heating and air conditioning systems. "Who thought it was a good idea to connect that to the Internet?" Garrett asks.

Garrett's security concerns notwithstanding, there are strong arguments in favor of networking objects so they can be deployed more efficiently and monitored remotely.

[ Also: 6 Ways the Internet of Things Will Transform Enterprise Security and Cybersecurity Expert Says Internet of Things 'Scary as Hell' ]

Boosters of the Internet of Things can make a long list of areas where operations and safety could be improved by a networked set of smart devices. Household appliances could modulate their power consumption to avoid peak load times. Sensors placed along railroad lines could relay temperature data that could help preempt track failures. The same could be done for bridges, tunnels and other pieces of the nation's fraying infrastructure.

A pilot project in Rockville, Md., for example, placed 14 sensors into an apartment building that monitor for smoke, heat, carbon monoxide and other potential danger signs, relaying them to a cloud service that dispatches emergency responders if a problem is observed.

Internet of Things Poised to Change (and Challenge) Healthcare, Retail

One of the most enticing applications of a network of far-flung sensors can be found in healthcare, where an entire industry is taking shape to build devices and applications with which patients can engage to monitor glucose levels, blood pressure or heart health, or perform any number of other diagnostic procedures and then relay the information back to a care provider.

[ Related: Feds Aim to Regulate Medical Devices, Apps While Doing No Harm to Innovation ]

"That's a much better set of data in which to diagnose and manage diseases," says Michael Chui, a partner and senior fellow at the McKinsey Global Institute.

Chui acknowledges a host of unknowns, security and otherwise, which arise with bringing physical objects online. Who is named in the lawsuit when two driverless cars are involved in an accident, he wonders.

At least in part, however, he suggests that some challenges, and solutions, could be found in a rethinking of organizations and their traditional roles and processes.

In a retail environment, for instance, the CIO's involvement in store operations might be limited to the cash registers, point-of-sale systems and back-office operations. In a world where mobile payments are a reality and items on the shelf are expected to interact with shoppers' devices, though, the tech team must take a more hands-on role.

[ Case Study: The Container Store Uses Wearable Tech to Think Outside the Box ]

"If that's the case, then the people managing IT actually have to touch the merchandise in a way that the store manager never would have wanted before," says Chui, who earlier in his career served as a municipal CIO. Likewise, in the military, he asks: "Does the CIO of the Army have to touch the tanks?"

"It's a tremendous number of organizational challenges when you start integrating the physical world with the virtual world, Chui adds. "You have to change the way you make decisions if you're going to use the Internet of things effectively."

Join the CSO newsletter!

Error: Please check your email address.

Tags Defense Advanced Research Projects Agencysecuritymobile securityDARPAGT

More about AdvancedDefense Advanced Research Projects AgencyRecall

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place