With the return of cooler weather to Seattle I appreciate that the heat at my house turns up just in time for me to get home. From an efficiency perspective, it is comforting to know that the heat also automatically turns down when I leave the house. These simple optimizations are just the beginning of what the Internet of Things can enable in our everyday lives. I am looking forward making more of the devices in my home “smart” and especially to when I can interact with them by voice or even have them predict what I want to do and just do it.
However, as a security professional I am both blessed and cursed with a mild state of paranoia. It doesn’t help that every day there are new articles that proclaim how the internet of things will allow criminals to access my refrigerator, turn off my lights, open my front door, or interfere with traffic in the city. Without a doubt, there are significant security challenges for information technology generally whether its criminals running botnets or cyber organizations targeting large corporations. Moving more assets and valuable data to the internet of things will make it all the more enticing to attackers, of course.
Security professionals have never backed away from the challenge of defending individuals and organizations against these threats so why are we so negative about the IoT? Well, I think a lot of it has to do with the term itself. “Internet of Things” has been used to the point where there is no single definition and means different things to different people. If we don’t know what something is, it is very difficult to think about how to defend it.
So then, what precisely is the internet of things? From Microsoft’s point of view, it’s about the Internet of Your Things, and I find it helpful to consider some key characteristics of the internet of things:
- Ability to communicate with physical objects. From household objects to industrial equipment, IoT devices will send and/or receive data over a network.
- Physical world input or output. Perhaps the biggest difference from traditional computing, IoT have physical inputs and outputs. For example reporting the current temperature or closing the lock on a door.
- Automated or even autonomous control. IoT devices can be controlled without direct human interaction and may be controlled by other physical objects. Some of the most interesting IoT scenarios involve devices communicating directly with each other to take action.
- Data from things. When things act as sensors they can generate enormous amounts of data about their own operation and the environment around them. This data can be stored and processed locally or more likely in the cloud.
- Analysis of sensor data. Analyzing the data generated by these sensors can reveal non-obvious usage patterns or even make predictions about what is likely to happen.
Examined through this lens, I argue that the problem is much more tractable. The characteristics listed above can help security professionals construct threat models for internet of things devices and services. While the Internet of Things brings about many exciting new scenarios the security principles of Confidentiality, Integrity and Availability have not changed. Fortunately, this means that many existing security approaches can and should be adapt to help secure the Internet of Things.
I want to be clear that I am not understating the added attack surface and potential risks that the Internet of Things brings about. However, I am also a born optimist. As an industry we have put a PC on every desk, smart devices in your pockets, and connected nearly half the worlds’ population to the Internet. We owe it to society to tackle the challenge of securing the internet of things.
Stay tuned next week for when my colleague Tim Rains shares several practical steps you can take to secure the internet of things.