Some 96 percent of IT professionals anticipate that security attacks involving the internet-connected devices in our lives will rise this year, according to a survey from TripWire in Portland, Oregon. More than half of the professionals surveyed say they’re not prepared for cyberattacks like this involving what is known as that internet of things.
There are about six billion to eight billion computing devices of various sorts — from baby dolls and thermostats to wireless infusion pumps and public utilities systems — connected to the internet. This would-be network of devices, the internet of things, offers countless means of convenience and utility for users, but also presents broad opportunities for hackers with nefarious ends in mind.
The problem becomes clearer as companies bring their wares to market with no security whatsoever, said Tom Patterson, vice president and general manager of Unisys Global Security.
“Everyone has to take security seriously,” he said.
Unisys is helping big corporations segment off their IT and employ a variety of advanced security products and strategies, Patterson said. He’s seeing more items — such as auto components like the controller area network bus that allow devices in cars to communicate — being designed with security in mind. Still, not everyone is working together to build greater security into products overall, and Patterson said he’d like to see more cooperation.
Firms like GrammaTech in Ithaca, New York, conduct extensive research into software assurance and cybersecurity for governmental agencies like the Army, Navy, Defense Advanced Research Projects Agnecy and Department of Homeland Security, as well as critical infrastructure, power grids and water supply operations. GrammaTech develops tools for software developers to prevent or minimize the impact of hacks, said Mark Hermeling, senior director of sales and marketing.
“We see great interest in these capabilities,” Hermeling said.
Building secure products for the internet of things, particularly items that are highly price sensitive like webcams or doorbells, is a challenge. It’s likely to take more resources to develop a more secure, complex device, and that “costs money, and people don’t like that,” Hermeling said. Adding extra levels of security to connected devices can also result in reduced functionality or ease of use.
Another issue is that tech moves fast. “What you consider to be safe today many no longer be safe tomorrow,” he said.
Still, outcry from the public to mitigate cybersecurity risks from internet of things is likely to keep growing as the public becomes aware of their vulnerabilities.
No one-size fits all
In general, larger, well-established corporations and industrial concerns are better prepared and have more resources to tackle issues of cybersecurity related to the products they sell or use. Hard-charging startups seeking to be first to market tend to take fewer precautions, said Katerina Megas, program manager for internet of things cybersecurity at the National Institute of Standards and Technology.
Devices themselves may prove to be more or less vulnerable depending on the context in which they’re used. Some devices may only be connected intermittently to the internet, for example, and it is precisely this broad spectrum of players and products that will likely hamper efforts to find a one-size-fits-all security solution to internet of things, Megas said.
“We’re going to have to figure out how to accommodate different drivers and barriers, and they may not be the same,” she said.
The institute’s research into cybersecurity in the cloud, the fog (networking that supports internet of things) and multiple-instruction, single-data systems also applies to internet of things, as does its efforts with lightweight cryptography. NIST constantly seeks the input of industry and organizational partners to discover the latest best practices and offers a voluntary cybersecurity framework for businesses and other entities to deal with the issue. In mid-May, it will convene a working group to discuss internet of things.
But work in this area is still in the early stages, as is a comprehensive approach to the issue, Megas said.
In the near term, prices for connected devices or other products that contain them will have to increase, at least a little, to add extra security features as industry awareness rises, Hermeling predicted. And demand should also continue grow.
“The move forward is inevitable, because people want more convenience,” he said.
Hermeling said one possibility for better security of internet of things could involve a monitoring capability for software or hardware that would provide notice of breaches or unusual activity.
But firms that fail to consider security for their products in the beginning could end up paying a large reputational price if they’re victim to a malicious hack and become the object of the latest viral news story, Patterson said.
“The benefits far outweigh the increased costs,” he said. “Retrofitting it is expensive.”
Patterson sees encryption as one of the easiest and most affordable security tools when you go to the cloud. Breakthrough technologies, such as blockchain, will vastly increase the efficiency of connected devices in cars and other devices, as it also allows for peer-to-peer internet of things security. Regardless of the method, some companies will distinguish their wares from competitors by making their security efforts a key part of their brand to consumers who will “vote with their pocketbooks,” he said.