Securing the Internet of Things

When a cloud-based platform can control many of the dials in your house, putting a few safeguards in place isn’t a bad idea.

While at the RSA show a few weeks ago, I was thinking about the article I recently wrote about “Why I Really Need the Internet of Things.” There are all kinds of great things we’ll be able to do with the “Internet of Things,” and, going with the concept of the RSA show and security, there is a currently not a lot of effort going into Securing the Internet of Things. Some talk: an article and some quiet calls for action. That is a concern.

Today’s security landscape, whether home or business, is focused on protecting information by detecting and stopping attacks that are targeted at accessing private information, fooling you into giving the information, preventing access, or destroying information in order to cause damage or cover up an information trail.

When we talk about security for the “Internet of things,” today’s security is still important (protecting information/detecting attacks). And this is the type of security that most people are talking about for the “Internet of Things.” But this is not good enough.

There are new dimensions that need to be added when we talk about the Internet of Things, mainly behavioral aspects such as, “Is this acceptable behavior for this type of machine-to-machine interaction?” (Some examples in a minute.) By the way, these behaviors are not just to detect vindictive actions; they need to detect human mistakes in interacting with the Internet of Things that could cause “trouble.” Before the Internet of things can become widely used, these security issues must be addressed.

Now, what kind of security issues am I thinking of?

The simplest is a pure and simple “human mistake.” Not that I would ever do this, but imagine what happens if you go to turn up your Internet-controlled thermostat in anticipation of arriving home in a couple of hours after being gone for the weekend, and your fat finger enters the temperature of “86” instead of “68” (dyslectic entry of the digits). When you get home, the house will certainly be warm and toasty. Not catastrophic, but still a waste of energy, and an expense to you. The system (preferably in the cloud) should have detected this as a behavior that is incorrect, and taken steps (send a text, set the heat for default warm, or something other than move the temperature to 98 degrees).

Or how about that Internet-enabled sprinkler system? A prankster (being kind with my labels) might decide to hack into the cloud service and set everyone’s sprinkler system to turn on at noon on the same day. A sort of college “flush the toilets all at once” scenario.  That would certainly impact the municipal water supply, not to mention be a waste of environmental resources (water), especially if all stations were set to the maximum time. Same scenario could play out by setting everyone’s heater to go on at the same time (perhaps at a temperature setting of 90 degrees).

Some behavioral analytics, at both the cloud, and the device, should be able to determine if the requested action is valid, questionable, or invalid. If it is questionable, perhaps a text confirmation is requested; if it is deemed invalid, the action is not taken and an alert is posted (to the cloud, to your cell phone, or both).

There are more scenarios. An Internet request to unlock the door when there is someone in the house may be a disallowed behavior, for example.

Clearly the Internet of things will bring new security challenges. For the moment, home automation, via the Internet of Things, is a very small market, and therefore, while the things I have listed above are possible, they are not probable. Nonetheless, I believe that in 10 years the “Internet of Things–Home Automation” market will be widespread, and such security issues real. The challenge to the vendors is to begin addressing these security issues now, not 10 years from now.

 

Jay Thomas is a Business & Product Technology consultant. He has held executive positions with large companies (IBM, Siemens) as well as start-ups. Most recently, Thomas was the Senior Vice President of Global Services & Operations at Narus, a start-up that was acquired by the Boeing Company.

Image: Poitr Adamowicz/Shutterstock.com

Post a Comment

Your email address will not be published.