Internet of Things - Is Security Really a Concern?

Over the last few years the explosion of Internet of Things (IoT) has been powered, mostly by our desire to have the information we don't really need at a time we don't really need it for stuff that we otherwise wouldn't really care to know, for example: "the current temperature of the water in my washing machine".

There are, of course, some very legitimate reasons for wanting to have this type of data, many of them are related to marketing and most of them are related to creating new opportunities to sell you something, but some have very useful real-world applications such as monitoring vast numbers of systems providing services that are revenue generating across a significant number of business sites.

IoT applications were born out of the inherent need to monitor and manage remote devices for large corporations, some of the earliest examples of these types of devices are in our traffic management systems and in our supermarkets, its really for the commercial market that Supervisory Control and Data Acquisition systems (SCADA) have been reinvented as IoT and re-marketed as 'Smart Home' devices.

The Problem

The security problem with these devices is a very real one, in fact, most providers released a first generation of their products with no security at all, a good example of where this is still occurring is with the 'Hive' heating system which was formerly a company known as 'AlertME' until British Gas/Centrica purchased them a few years back, of course there has been little or no investment in securing the product, even since the breach of the system two years ago, most of the security has been sited at the centralised systems, leaving the devices themselves wide open to attack, i haven't personally tested the entire market of products and i'm not about to provide tips on how to get into this one, but i think its safe to say, these guys wont be alone...

Businesses

Corporations have, for a while now been unwittingly taking on IoT devices, it all started with the boom of Bring Your Own Device (BYOD) and has now exploded into printers which print from the cloud, vending machines which call home to be restocked, not to mention all of the screens, displays and projectors out there. Any sensible firm would not trust IoT to any critical business function.... or would they, certainly there has been a growth in interest in protecting such devices, most feel that this is more related to them not wanting to be the originator of an attack, the scary thing with IoT is it could become the worlds biggest Botnet given half a chance, for Scritp Kiddies and Hactivists alike, this is a pretty cool target.

Likewise Manufacturing firms are worried about competitors impacting their ability to produce or stock market wranglers effecting their market price.

The Government / Authorities

The Critical National Infrastructure (CNI) guys are terrified about the threat of some terrorist organisation getting hold of the controls to their water reservoirs or overheating their power stations to the point of meltdown or more simply holding the country to ransom for access to standard facilities such as Gas/Electricity or Water.

The bottom line is always... if you don't want the risk, don't plug it into the internet...of course this doesn't float, because the convenience of being connected always trumps the potential of any hack.

BUT the real question here is who pays for IoT or SCADA security?

We all know we need to secure this stuff, its not secure on its own and with Asia manufacturing the lions share of these devices there's no prizes for guessing who is going to have access to everything.

There seem to be three key candidates to foot the bill for this security:

The Manufacturer: its certainly the case, when you buy a car, you expect it to have locks and seatbelts and all of the other features which make it safe, so why is this any different? well, there is a price point issue, putting it simply, it costs more in testing to build in security so who is going to buy the top notch when there's always a cheaper version available on ebay - not many people i suspect.

The End User: As we are not prepared to pay more for these techs and they continue to get cheaper, i cant really imagine a consumer end service or anti-malware for IoT devices. Of course, you will always be able to convince big business they want to protect themselves, but your unlikely to win the same argument with a local Taxi firm or Joe Bloggs on the street.

The Service Provider: One thing is for certain, the bits of wet string that interconnect all these devices is the only common piece of the puzzle, each use their own flavor of operating system, home grown applications etc... it would be hard to create the security overlay at the device itself, so why not have that security in the firewall at the boundary, whether that be a massive corporation or a single user, everyone needs an internet connection and for me, this is the obvious place to site IoT security.

Problem is The BT's, Virgins, Sky's and AT&T's of this world may pay initially, but you can bet your bottom dollar that's going to be added to your line rental or my sport subscription

There seem to be two security markets , the first is the consumer world of IoT and the security inside the network, but the truly lucrative focus will always be on the SCADA end of the market as these guys have a whole lot more to lose, i might have the CIA watching me picking my nose on the sofa through my smart TV but these guys can be turned from a profit making leader in their market, to a stock market nightmare overnight.