When I attended high school in the 1990s there was a strange disused storage room in the science building with a bronze plaque indicating it was the "Atomic Research Lab." Rumor and innuendo finally led me to one of the older teachers, who explained that during the 1950s, some government-funded entity provided the school with a few boxes containing Geiger counters, suggested experiments, and a pile of radioactive materials, all in the name of ushering students into the atomic age. He also recalled being fitted for shoes under the relatively novel X-ray machine, with an unprotected shoe salesman happily bombarding his young feet with radiation, all in the name of solving the problem of poor-fitting shoes with atomic science.
Splitting atoms and connecting things
Intriguingly, IoT is at a similar stage as atomic science in the 1950s: limitless possibilities and a tiny subset of cranky curmudgeons preaching about the risks. However, we're also beginning to see the dangers of IoT, most recently in the form of a "botnet" attack that commandeered tens of thousands of connected video cameras and used them to flood key internet infrastructure with data that knocked multiple high-profile websites offline.
In the zeal to bring connected devices to market, concerns like security have taken a back seat. In many ways, adding connectivity to a product is the easy part. Commodity pricing on sensors, and trickle-down technology from the mobile phone industry, like complete "system on a chip" designs, have made it easy for even startups to integrate wireless radios into devices. Any remaining product development effort is usually applied to building services around these products, and security might be a day or two of development time at best, or an item that's perennially on the feature list for the next version. Much like shipping a box of radioactive materials to high school students, we're shipping what amounts to highly connected, completely insecure devices to consumers.
Is regulation coming?
It's easy for information security concerns to be misinterpreted and overblown for dramatic effect. Rather than admit to lax security or data thefts resulting from simple social engineering, many companies and government organizations would rather peddle stories of sophisticated state-sponsored hacking organizations. The truth with IoT is that in many cases, one need not be overly sophisticated to take control of an IoT device that's ultimately a tiny computer, usually running some version of Linux, a well-known and documented operating system. Rather than stealing secrets or performing a sophisticated attack, an entity that can commandeer enough IoT devices can aim a flood of data at their victim, effectively drowning their networks in data and rendering them useless. Instead of a physical equivalent of a well-planned sniper attack on a single target, it's flooding the skies with bombers and leveling the whole area to hit that same small target.
Like atomic science, there is significant benefit to IoT, along with a significant risk. The IT industry has largely been self-regulating, tending to define its own standards and correct lapses in security. However, an era of cheap, connected devices, combined with critical infrastructure and services increasingly participating in the same networks as IoT devices, may require more oversight than the industry itself can provide. Whether or not the government ultimately steps in and forces regulation in the IoT space, if your company develops and markets, or uses IoT devices, it's imperative you understand and mitigate the risks. Much like an apparently benign hunk of rock can emit radiation, the innocuous system on a chip that's embedded in your products and secured with the password default can contain hidden risks. While IoT is in a bit of a wild west stage, much like atomic science in the 1950s, as IT leaders we're beginning to understand the risks and should start taking appropriate precautions.
BlackBerry Secure: IoT security goes mobile with new enterprise platform
New innovation hub in Silicon Valley details the explosive growth of IoT
Experts predict 2017's biggest cybersecurity threats
Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent over a decade providing strategy consulting services to Fortune 500 and 1000 companies. Patrick can be reached at firstname.lastname@example.org, and you can follow his blog at www.itbswatch.com. All opinions are his and may not represent those of his employer.