Despite its immense potential, the Internet of Things (IoT) remains mostly a poorly implemented patchwork of competing standards and protocols rather than a coherent and healthy ecosystem. This parlous state of affairs could make the entire Internet less secure not only from hostile states, but from simple acts of vandalism and criminality. In 2016, a malicious type of malware known as Mirai caused $110 million in damage by conscripting thousands of Internet-connected devices to flood the web’s infrastructure with mostly incoherent and meaningless traffic.

What is the Internet of Things?

The popular buzz-phrase “Internet of Things” brings to mind a world bristling with interconnected devices, turbocharged by the Internet, worldwide communications, and the integration of common everyday objects, from medical devices to appliances, into ubiquitous and expansive networks.

What does a world of Internet-connected devices actually look like? To take just one example, imagine a future in which a smart electric grid receives information directly from consumers, smart homes, smart appliances, battery storage, etc, and then automatically modulates and adjusts how it generates electricity based on that data. According to a McKinsey report from May 2017, the Internet of Things could have an annual economic impact of $3.9 trillion to $11.1 trillion worldwide by 2025.

As IoT technology takes off, the goal is to achieve “interoperability” — meaning the ability of one system to communicate with another. The idea of breaking down old barriers, both within networks and between networks, and perhaps even replacing them with a freewheeling and open system, seems sensible, even desirable. But interconnectivity has an obvious trade off: these systems could be more vulnerable to exploitation.

It does not take a particularly tenacious hacker, computer expert, or resourceful coding boffin to exploit these vulnerabilities, merely someone with access to ransomware or botnets. The threat is asymmetrical, meaning that the hacking tools are easy to obtain but difficult to guard against. Even the best-coded software can contain thousands of errors and vulnerabilities, and hacking software only needs a single vulnerable point in an otherwise secure program or system. The Internet of Things greatly exacerbates these vulnerabilities: even the most common objects, once hacked, can become a springboard to a wider Internet attack.

Hardware Companies Face Many Different Challenges

These vulnerabilities stem directly from the nature of the manufacturing process itself. Individual chips, circuit boards, and operating systems are all designed by different companies and then assembled into hardware by an unrelated manufacturer, creating a fragmented landscape. Mistake at any stage can leave the entire system vulnerable to attack, according to The Economist.

It’s not clear yet who should bear the burden of making the system more secure. Component manufacturers are not well-positioned to handle security issues. Device manufacturers are more suited to providing security solutions, but according to McKinsey, they often lack the necessary capabilities. This disparity inhibits coordination between different parts of the value chain.

Another danger is that consumers view security as a mere commodity and refuse to pay extra for it. According to a survey conducted by McKinsey, 40 percent of semiconductor manufacturers claimed that their customers were unwilling to pay a premium for extra security features.

Security Problems will need to be addressed by the Entire Industry

The IoT industry should focus on a few major solutions. First, proper security protocols need to be adopted throughout every level of the organization and along every phase of the development and manufacturing process. Second, firms need to hire the appropriate security and software expertise. Third, if software expertise is difficult to obtain, then manufacturers need to collaborate or partner with outside specialists.There are managed detection and response services that respond to threats with complete “root-cause and kill chain visibility.” Fourth, IoT companies should focus on the development and implementation of more universal security standards.

In the best case scenario, all the various stakeholders will agree to develop proper security standards on their own. They will need to address the difficult questions of how these standards will be set and who will set them. If they cannot tackle security issues at a more systemic level, then the government may step in. Bruce Schneier, a security expert, proposed the creation of a new government agency devoted exclusively to the security of IoT technology. Only government, he writes, has the “scope, scale, and balance of interests to address the problems.”

 

by : Lee Flynn