The internet of things — the internetworking of everyday physical objects — is all around us. Every day our cars, homes, offices and even our bodies through things like medical devices are becoming more and more connected.
At a recent event in Cleveland, security expert Bruce Schneier observed that companies are deploying three kinds of internet-connected technologies:
• Sensors, such as GPS devices, ATM always-on cameras and thermostats.
• Real-time analytics, such as user-behavior assessment patterns, weight and freight tools and traffic modelling.
• Actuators, such as building HVAC systems, automated locks, traffic signals and automotive steering and brake commands.
Functionally, according to Schneier, these three categories of technologies combined make a robot, one that is difficult to control and even harder to secure.
Many of these new technologies bring exceptional benefits to individuals and businesses. Yet, as more and more devices become "smart," and IoT becomes larger and more mainstream, massive streams of data also provide potential substantial value to criminals.
In situations where threats may be evolving as quickly as the device technology itself, a layered approach is best, but we all must do our part for this solution to work. Layered security requires coordination from citizens, the greater community, the business sector and government. The following are some steps each can take to help improve security:
• Businesses must identify an information-security function and staff it appropriately. This role should encompass responsibility for the security and integrity of intelligent devices alongside conventional information technology (servers, laptops, smartphones, networks and cloud-based services).
• Establish policies that acknowledge and accommodate the presence of IoT within and around the enterprise's environment.
• Companies should open a liaison with local police agencies that might offer assistance in the aftermath of a crisis.
• Consider how IoT vulnerabilities can impact citizens. Currently, core information technology is seen as the responsibility of its owner. After a noisy problem involving a population harmed by an IoT vulnerability, governments will act — but with a bit of foresight, that action need not be disproportionate or dysfunctional.
• Understand that while the network was never the computer, networked devices concentrate vast processing power. This aggregated IoT needs a governmental policy-based response. Individuals and businesses cannot change social policy fast enough.
Social groups, clubs and not-for-profit organizations
• Identify a device steward, someone who would list their intelligent devices and occasionally check with the device vendors for any notices, warnings, recalls or suggested updates.
• Have someone with IT skills available (as a volunteer or on call professionally) to help minimize the consequences of a defect or a serious attack on the group.
• Understand how your group interacts with said devices and ensure everyone is aware of potential exposures as part of that group. Education is key to assessing risk.
• Be aware of the population of intelligent devices in your home. If you have IoT devices in your home, check in regularly with vendors or a reliable third party for notices, bulletins or warnings concerning their devices.
• Assess personal value vs. potential risk for each of the personal devices you consider purchasing. Do your homework, be informed.
Securing IoT is a challenge, but with cooperation from the government, individuals and communities, as well as businesses, we can all take small steps to make the world a safer place.
William Malik is a client-solution advisor at Optiv, an information security company.