A primer on the Internet of Things and why it's a big concern
December 15, 2015
There’s a key difference between the Internet and the Internet of Things.
Anyone in the risk business has read these words or something similar in the last year or so: Beware the Internet of Things! Danger ahead! The new emerging cyber threat!
It’s not bad enough that we have credit card theft, identity theft, healthcare information theft and intellectual property theft to worry about. Now we are told to expect a new and potentially bigger wave of cyber threat coming at us through our cars, our thermostats and even vending machines and our home appliances.
This blog will establish a baseline understanding of the Internet of Things (IoT) — or Internet of Everything (IoE) — and set the stage for future discussions about how these threats are progressing and the defenses that should be constructed to counteract those threats.
Let’s begin with some basic definitions. What exactly do we mean by the “Internet of Things”? The Internet, as we have known it until now, is a global network that allows individuals and organizations to connect with others and to vast sources of information, any time, from anywhere that there is an access point. Access points used to be wired telephone lines and directly wired connections, but now can be found nearly anywhere in the wireless world as long as you have a connectible device, like a desktop computer, laptop, wireless phone or tablet. One notable feature of this configuration of access points and connected devices is that there is generally a human associated with the device, i.e., someone inputting addresses to which a connection is desired and participating in an online “dialogue” of sorts.
The key difference
The IoT is the same concept with the key difference being the removal of the human from the dialogue. Now the dialogue involves devices without human intervention — devices like security systems and HVAC systems in commercial properties or a home, flow controllers in pipelines, performance monitoring sensors in automobiles, or health monitoring medical devices. The IoT, then, is simply an extension of the Internet as we have always known it, with a bunch more connectible devices — perhaps as many as 50 billion by 2020. And each of these devices is in many ways similar to a traditional connected device like a laptop or phone. They are “addressed” the same way. They send and receive information the same way. They are programmed, i.e., they respond to the information they receive based on embedded rules. They offer tremendous benefits, just as the laptop and smart phone do, but they are similarly just as vulnerable to threat actors —maybe even more so.
So, what we are left with is a real “good news/bad news” situation. The good news being the tremendous benefits that the IoT can potentially deliver, and the bad news being the potential risks that come with those benefits. But there is also good news in the fact that existing risk management and information security practices can help mitigate and manage those risks. Bad news will result, however, if security is not recognized as being just as important as the benefits and is not baked into the product development process.
Return to Risks Revealed home page