By 2020, more than 25% of cyberattacks on enterprises will involve Internet of Things (IoT) devices, though IoT will account for less than 10% of IT security budgets, according to Gartner. While some in the industry have proposed using blockchain to enhance IoT security, a panel of experts at the LiveWorx 2018 conference disagreed that the distributed ledger technology would radically transform the way IoT devices operate.
Considering the destructive Mirai botnet, it’s possible that the world will reach that 25% figure sooner, Joshua Corman, chief security officer at PTC, said during the panel discussion. The number of devices that are unpatchable with hard coded credentials that exist naked on the internet provide a recipe for disaster, Corman said.
IoT devices’ diversity and lifespan make them strong targets for attack, according to Chris Lord, CTO and co-founder of security firm Armored Things. “When it comes to IoT devices, we have thousands of different operating systems and variants,” Lord said during the panel discussion. “That diversity creates all sorts of challenges–every one has different configurations and different ways to patch and manage.”
SEE: IT leader’s guide to the blockchain (Tech Pro Research)
Device lifetimes create further issues, Lord said. Unlike smartphones, which are constantly visible to users who can determine when they need an upgrade, many IoT products are embedded into the environment around us–in our cars, buildings, and safety products.
“As soon as they sink into the environment, we no longer know they’re there,” Lord said. “They get lost and neglected, but are still surfaces that can be attacked. In lifecycle management, we need to focus on the tail end, not just the middle maintenance.”
Enter blockchain, which some have argued will help IoT devices communicate with each other and improve their security.
However, “I don’t think blockchain is transformative for IoT,” Lord said. “Most of the techniques that underpin blockchain have been around for quite a while, and are already incorporated into a lot of the stuff we build in distributed systems,” such as a verifiable transaction log and a distributed census.
SEE: Quick glossary: Blockchain (Tech Pro Research)
When determining whether or not to work with blockchain, IoT developers must ask themselves one of the most basic computer science questions, Corman said: “Can I already do this with a distributed database?” Often, the answer is yes, he added.
“It’s not new technology,” Lord said. “Most of what we talk about with blockchain is a better set of patterns for dealing with decentralized or distributed problems. It’s not going to change how we deal with things in IoT.”
One way that blockchain could be useful is in distributing a policy change across different devices. However, anyone advertising blockchain as a security feature in an IoT device should at this point be met with skepticism, Lord said.
IoT manufacturers also want to bring scale to their devices, said Rob Black, founder and managing principal of Fractional CISO. “When you think about blockchain, it’s anything but scale–you’re bringing along a huge ledger of transactions,” Black said. “Compatibility with blockchain and IoT in today’s environment is almost nonexistent.”