IoT security state of play: can we learn from history?

Originally posted on Peerlyst on 24th August 2014 In mid-2014 as Peerlyst gets off the ground, one of the biggest challenges facing the security profession is how to secure the Internet of Things. The phenomenon that’s automating everything from artificial dust motes to container ships is about to move into explosive growth mode, if that isn’t already the case. It’s great news for entrepreneurs and the global economy, but for security types this gigantic silver cloud has a distinctly dark lining. That’s because the IoT, with 40 billion devices projected to have IP addresses by 2020, is exponentially growing our attack surface. At the same time, the general level of IoT security is somewhere on a scale between embarrassing and zero. Exceptions apply, of course; the topic is now on the agenda at RSA, Black Hat, and DEF CON, and even the biggest security vendors are starting to pay attention. That’s all positive – but in terms of actual, tested and auditable security controls for IoT systems which are either implemented or on the planning horizon – we’re really looking at very little.

If we take off our white hats for a second and peer into the mysterious world of business, it’s not too hard to see why things are this way. Unless you’re someone with a keen, security-focused mind (which I expect that you are since you’re reading this), it’s more likely than not that as someone who’s bringing cutting-edge products to market, you don’t give a high priority to security until the day you get hit. That’s just human nature, and it’s also history. Think about how the mobile commerce security landscape evolved: technology first, then hypothetical threats, then credible threats, then security response. Or desktop-based e-commerce before that. The same exact thing happened.

To cite just one current example of history repeating, industrial control systems were never designed to be put on the Internet. As stand-alone systems, they were at least secure by obscurity. When they started being merged into the cyber universe, the driver was business efficiency – enterprise users’ ability to monitor their factory’s hydraulic pumps from the comfort of their own bedrooms. Nobody, including Iranian nuclear engineers, gave a thought to threats like Stuxnet, son of Stuxnet, and grandson of Stuxnet. But I bet you that now, Iran has one of the best SCADA security programs on the planet. That’s just how it always goes.

With that in mind, here’s how I think security of the IoT will play out:

Phase 1 (the past 4-5 years): IoT products and systems are brought to market with minimal security built in. All eyes (except for the keen, security focused ones) are on innovation, financial upside, and the wow factor. An incident happens here and there, but hey, cyber attacks only happen to other people. It’s quickly forgotten and Industry goes back to building the dream.

Phase 2 (where we are today): IoT deployments pick up steam. More security experts point out the risk. Researchers find exploits and show them off at DEF CON. Specialized security products are introduced, and standards groups start to form. But they’re mostly preaching to the choir, and we still haven’t seen any catastrophic cyber event in the IoT world.

Phase 3 (the next few years): IoT is now mainstream, and the inevitable wakeup call happens. Great-grandson of Stuxnet (wielded by great-grandson of Al Qaeda) takes out a power plant, derails a high-speed train, or makes some chemical factory explode. This will happen in Europe, North America, or some other developed part of the world. Now Industry wants security, and it wants it now. If you’re a security professional and have invested in acquiring skills related to IoT protection (SCADA/ICS and sensor network security, real time threat intelligence, etc.), this is when you’ll find yourself … busy.

Phase 4: “Security” will step up to the situation, and at some point it might reach equilibrium and we’ll have a “secure enough” IoT. Or, it might not and we’ll continue living in a world of perpetual cat and mouse like we are today with retailer data breaches. I don’t want to try to predict that far ahead (but please feel free to do so yourself in the Comments, if you have a take on it).

My point is, as Sting once put it, history will teach us nothing.