Preparing for the Internet of Things
If you love the music of Kanye West and wish you could instantly hear it wherever you go, whether you are in your home, a shop or a cafe, and then be digitally alerted about others in your environment who also like Kanye West, you’re in luck.
The internet of things (IoT) is the term technologists use to describe the growing use of embedded sensors in the machines around us, which are designed to facilitate data collection and analysis on a real-time basis. IoT technology will make this scenario a reality, along with a host of other new real-time services and processes.
Also known as “the industrial internet,” “the programmable world” or “ubiquitous computing,” IoT’s goal is to connect the physical world to the internet or a wireless network, making everything, from common consumer objects to business machines and work environments, interactive and “smart.” The phenomenon is enabled by sensors embedded in these physical objects that allow them to exchange data with other machines. The systems can analyze large quantities of data and then swiftly take action, often without the need for human intervention.
Examples of the internet of things already abound in products that aim to revolutionize a range of industries. Smart outlets can allow users to monitor power and turn off any appliance from a cellphone. Pajamas can track babies’ breathing, temperature and sleeping position to help prevent infant fatalities. Trash cans can use real-time data collection to alert municipal authorities when they need to be emptied.
As machines increasingly “learn” our preferences and react automatically, the music of Kanye West can start playing the minute you walk into your home, your garage door can close by itself as you exit the driveway, or a power plant can raise output levels on its own when needed.
The internet of things is not a new phenomenon, but it has become more prevalent due to a combination of factors. These include the increased availability and lower cost of sensors and their controls, the growing use of sensor-enabled devices like smartphones and tablets, and improvements in system intelligence, which allow for more sophisticated and real-time data analysis. The trend is also spawning a wave of IoT-specific services for business, such as General Electric’s software strategies division for IoT and Splunk’s industry platforms that collect, index and analyze company-generated machine data.
The benefits can be significant. “With Splunk, you can search across all sorts of IoT data sets—say, all the data related to facility operations—and proactively respond to growth patterns, so that you are not wasting resources or manpower,” said Brian Gilmore, an IoT solution expert at Splunk. Similarly, GE touts the $150 billion in spending waste that it says will be eliminated by the increased use of IoT in industrial operations.
But some analysts are concerned. What will be the unintended consequences of this new development? A range of industries, including retail, transportation, health care, and oil and gas, are embracing the concept of IoT and using the new capability to increase operational efficiencies, reduce staffing costs and invent new types of real-time services. But some analysts see significant challenges.
According to Andrew Rose, senior analyst with Forrester Group, the rise of IoT will result in “a radical transformation” of the computer and digital systems around us. And while, in many instances, it will serve up new and innovative services, it will also “pose unprecedented data privacy and security challenges for security and risk professionals.”
Leo Cole, general manager of security solutions at Trustwave, a provider of network and data security solutions, said that IoT’s layers of applications and connectivity “open up new attack vectors and new sets of risks on the security side of business.”
Further, Greg Day, a vice president and chief technology officer at cyberthreat protection firm FireEye, said that, with the rise of IoT, “the scope of what we have to protect will just explode.” The internet of things allows data collectors to know an ever-increasing amount about business and individual activities, such as when you leave for work, what type of car you drive, and what route you take, leaving users’ privacy further diminished daily.
Add to that the projected exponential growth of IoT and the risk scenario gets even scarier. Research firm IDC estimates that, by 2015, 20 billion devices will be connected to the internet and, by 2020, that number will double. Rose, Cole and others point out that the proliferation of these new devices will create greater complexity in the computer systems and digital networks we rely on.
This, in turn, will open the door to greater risks in several categories, including computer network vulnerabilities and data privacy breaches. Physical dangers could also be a concern as machines increasingly make autonomous decisions at lightning speeds. For example, if network control points are not properly protected from a malicious attack, machines controlling airplanes, high-speed trains, cars or pacemakers could be compromised and cause physical harm.
But that’s not the only concern. “One fear is that innovators will focus on building new IoT products and growing market share, but will not focus on IoT security because they do not want to delay a product launch,” Rose said.
“Any time you have a new buzz in the tech industry, there’s a rush to adopt and people tend to ignore security in the interests of quick deployments,” noted Roger Thornton, chief technology officer at AlienVault, a security provider for mid-size firms.
What’s the solution? The answer, analysts say, lies with risk managers who can work with security and IT professionals to initiate policies, action plans and best practices to anticipate the impact of the internet of things. Risk managers need to assess their IoT-based technology operations and consider worst-case scenarios, Day said. This can then guide both their policy and security efforts. However, because we are still in the enthusiasm stage of IoT adoption, risk managers need to highlight the commercial and branding advantages of these efforts to avoid being viewed as merely standing in the way of progress.
“We need to start looking at security as it pertains to IoT as an enabler and take a risk-based approach: How does the internet of things relate to my business processes? What is the likelihood of a security breach, physical harm or privacy issue taking place due to IoT? And what impact could it potentially have on my business?” Day said.
He cited traffic light systems, water purification plant operations and nuclear power plant systems as examples of critical operations that may benefit greatly from IoT advances and automated systems, but must, in turn, secure themselves from risks related to the internet of things.
Rose advised corporate risk managers to catalog the most significant IoT risks and urged them to plan for the rise of privacy risks as sensor-embedded objects collect and aggregate fragments of data. That information could potentially reveal patterns of private behavior such as an individual’s medical condition or religious affiliation. Risk managers should “ensure that they think through the potential privacy risks associated with the entire data set,” and develop policies to protect customer data, he said. “You need to know the source of the data, that it is encrypted and that the sensors you are using have data integrity and have not been altered in some way.”
Risk managers should also plan for the massive quantities of data that IoT sensors will collect. In some instances, Rose said, firms will have to partner and work closely with cloud-based data storage systems to ensure that suitable controls exist and that these measures comply with all local laws and regulations.
He warned that, as technology becomes more intertwined with the physical world, the possibility of an IoT security failure causing physical harm escalates. Rose advised risk managers to focus on the physical implications of IoT, particularly as it pertains to customer and operator safety. “Ensure that you understand how your object or service may interact with others to create unsafe or undesirable situations, then plan for your system to avoid these scenarios or put in place fail safe mechanisms,” he said.
Cole predicted that the impact of IoT technology will encourage companies to utilize security as a managed service or use a third-party specialist firm to solve growing security issues, integrate any security products that are needed, and then monitor these systems on an ongoing basis. Because of the skills and process gap that customers increasingly have, instead of customers buying a variety of products and integrating all of them, they will hire a third party to do it who will stay up-to-date on the technology and keep careful watch, Cole said.
Charles Henderson, a director at Trustwave, said that IoT will result in an uptick of penetration testing of company security systems. This is where a firm hires ethical hackers to try to break into a company’s network in order to identify and assess vulnerabilities. The right way to do this, Henderson said, is for the testing to include company partners. “You have to understand what your partners are doing in terms of security—and what they might not be doing—to understand all the vulnerabilities,” he said.
While it is easy to get wrapped up in all the benefits of IoT, it is important to take action now and start building better security into these systems early on. “Now is the time for a call to arms for risk managers who don’t want to be left behind as IoT unfolds,” Rose said. He added that risk managers and their IT and security teams must start talking about the impact of the new technology and its repercussions. Then, they must begin taking steps to manage the sweeping changes to come.
“If we learn one lesson about how technology evolves, it’s that doing security after the fact is always far more costly,” Day said. “We have got to build it in as we go along.”