In a contributed article for Internet of Business, Anthony Di Bello, senior director of market development at information management company OpenText, reflects on the responsibilities ahead for IoT stakeholders as devices proliferate.
The IoT is weaving technology ever more tightly into our everyday lives, and connecting virtually everything to the internet certainly brings tremendous opportunities for convenience, efficiency, and growth. It also creates major safety and privacy concerns – which raises the question, which IoT stakeholders should we turn to, if this situation is to be effectively addressed?
Today, the worst-case scenarios for most individual hacking victims are identity theft and/or financial loss. The IoT changes the stakes. Connected devices will include (and to varying degrees already include) the fundamental infrastructure we rely on every day: transportation, power plants, supply chains.
Security vendors, manufacturers, governments and end users – all stakeholders here – need to consider what could be next and ask: How might we mitigate the risk of deadly hacks?
A hacker poses a far more serious threat if they gain control of your autonomously driven car than they do by gaining access to your bank account – and things get even more serious when you start to consider power and supply chain infrastructure.
In chilling real-life examples, hackers took control of a Jeep in a test just two years ago. At the annual DefCon conference, Chinese security researchers successfully hacked a Tesla for the second year in a row. To react appropriately, we first need to understand how the IoT is shifting the security landscape.
The IoT is changing the profiles of vulnerable targets from traditional endpoints – back-end computer systems, laptops and so on – to ‘edgepoints’. These include mobile phones, tablets and connected TVs, but also connected cars, smart forklifts, and even implantable cardiac pacemakers.
Whereas endpoints operate within the confines of (generally) more secure networks, edgepoints exist at the network edge. They represent a perfect storm of security and safety risk, by connecting at the edge of networks where security is most challenging and being charged with making serious, independent decisions (like steering a car, regulating a heartbeat or ensuring that the supply of electricity is directed toward where it is needed most).
Too often, security is an afterthought for IoT manufacturers under pressure to deliver devices to market. This needs to change. So how should various stakeholders prepare?
New responsibilities for stakeholders
These IoT ‘stakeholders’ fall into a number of categories, as I see it. They are:
IoT device makers and developers
First, IoT software developers and hardware manufacturers must adopt security by design. Security is fundamental to the desired user experience and should be a core feature, not a last-minute add-on. Hackers always look for the easiest target. As IoT devices proliferate, so too will cyberattacks against them. The best developers will recognize security as a competitive advantage and differentiator.
Makers of higher-end IoT devices often understand this need. For example, connected car manufacturers are more likely to place a heavy emphasis on security – but the aforementioned Jeep and Tesla examples show the need for constant improvement. Unfortunately, we are also seeing an influx of low-end consumer IoT devices with little to no security to speak of. Consumers with limited security savvy tend to purchase these devices, bring them into their homes and places of business and connect them to local WiFi networks. These stakeholders have a responsibility to protect the cybersecurity of their customers, just as they do their physical safety.
Enterprises – which will be major consumers of IoT devices and therefore influential in their evolution – should implement security best practices throughout their organizations and build out strategies that make security a priority. Security must be a consideration at the executive and board level. Most large organizations now include a CISO, and businesses should look to further expand security expertise across leadership teams. Frequent communication between management and security personnel is essential for informed decision-making among this class of stakeholder.
If industry and consumer pressure alone don’t steer the IoT industry toward effective security, governments may intervene in the name of public safety. This is already happening in areas such as transportation, where government agencies naturally have a purview as stakeholders in public safety. In Europe, GDPR legislation that goes into effect next year requires security by design, at least insofar as it related to personal data protection.
With the boundaries between networking, storage, and computing blurring, security can no longer be an afterthought. In the United States, the Food and Drug Adminstration (FDA), National Institute of Standards and Technology (NIST), and the Department of Homeland Security have published voluntary guidelines for IoT security, but more oversight and enforcement is still sorely needed.
Before we reach that much-cited figure of 20 billion connected devices by 2020, policymakers need to work with private industry to create a framework for reliable IoT security that protects our privacy without hindering innovation.
Members of government with technology and security backgrounds would be a welcome sight in helping craft effective legislation. The Gramm-Leach-Bliley Act of 1999, which required the financial industry to explain information-sharing practices to consumers and how they protect their data, is a good example of how this might be achieved.
Taking the advantage of IoT technology – while absolutely ensuring safety – will be a critical challenge over the coming years and decades. The stakes will be as high as they can be, and each and every stakeholder should feel compelled to contribute what is necessary to achieve a safe and secure IoT.