From toasters to industrial control systems, at this point more things are wired than not. The benefits of connectivity have driven explosive growth in the number of connected devices which collectively create the Internet of Things (IoT). Even with that exponential growth, there has yet to be a wave of cyber-attacks conducted against the IoT commensurate with those launched against mobile devices. Stuxnet stands out as an obviously significant IoT attack, as does a 2014 incident in Germany that was leveraged to destroy an industrial blast furnace. But with those exceptions, the vast majority of headlines has been reserved for data breaches. So what is the true state of IoT security? How much risk is actually there, and how much of the threat is overblown? The truth, as it tends to be, is more complex than the numbers seem. Here’s my take on the current IoT security landscape.
Proof of concept IoT attacks have been troubling
While successful IoT attacks have remained rare, there have been multiple proof of concepts for IoT attacks that should frighten even the most stalwart Luddite. Pacemakers, insulin pumps, and automobiles have all show to contain remote vulnerabilities that if leveraged properly could actually lead to the loss of life. And when IoT devices are actually tested for security vulnerabilities, the results aren’t good. While those tests were conducted against consumer devices, there are implications for corporations. There’s more than enough intersection between those devices and what IoT technology industry employs to be worrisome.
Industry is not ready for the coming changes
The UK Government predicts that by 2020 the number of connected devices could be anywhere from 20 billion to 100 billion. That’s a massive amount of new data being collected, a volume industry has not yet shown itself to be ready for. According to the IDC within three years 50% of IT networks will transition from having excess capacity to handle additional IoT devices to being network constrained with nearly 10% of sites being overwhelmed. That’s not even to mention the lack of expertise in IoT security. Corporations can’t find enough good security people as is, let alone ones who are expert in an emerging field like IoT security.
The opportunity is there
It’s clear that while the impact to this point has been minimal, that danger is only going to grow in the future. One of the things that makes the German incident so troubling was the fact it was initiated with a successful phishing attack. That start of a chain that ended with physical destruction began with the click of a link in an email. The physical and digital worlds are intertwined now to the point of no return. A recent cyber-attack conducted against a dam in the US is also troubling. Not that we can’t surmise that it would come under attack, but more so because the fact the information was not released for several years. That begs the question of how many attacks have there been that we simply do not know about because the information has not been publically released.
There is a true risk in underplaying the threat
It’s not that devices are increasingly wired, but what is actually being connected, and what will be connected in the future, that makes security vulnerabilities in connected devices necessary to confront. Booms in automation and connectivity, medicine, and manufacturing have all been advanced by the IoT. Even if mostly unseen, the IoT already impacts every facet of our lives. Suffice to say, there is a true risk in underplaying the threat, not only for corporations and governments but also for individuals. Security is still an unfortunate afterthought for manufacturers, especially when considering the capacity for destruction by successful attacks is only growing. That needs to change.
Mark currently serves as a Security Evangelist for HPE Security. In this role, he is responsible for educating customers, security professionals, executives and other groups about the risks of security vulnerabilities and HPE Security solutions. Mark has played an active role in the security industry since 2002 when he joined SPI Dynamics, a leading provider of web application security assessment software and services. Over the course of his career, he has been involved with product management and marketing, vulnerability research, and security blogging. You can follow his writing and security activities via @secpainter.