Posted by Craig Carpenter
The Internet of Things (IoT), primarily known to consumers as the internet-connected products that allow you to unlock your house or turn on your heat with your smart phone, among other things, has been thrust into the cybersecurity spotlight recently for both its booming commercial success and its potential security implications.
One the one hand, the universe of connected devices has dramatically increased over the last few years, adding significant conveniences for consumers, but also playing an important role in medical and industrial technology. For example, studies estimate that the global IoT healthcare market was valued at $58.4 billion in 2014 and is expected to grow by 12.5% annually. Healthcare IoT has automated and streamlined record maintenance and data analysis and collection. Meanwhile, the industrial IoT (IIoT) has grown to encompass numerous industries, including manufacturing, mining, agriculture, energy, and transportation. Studies put global IIoT spending at $20 billion in 2012, with spending estimated to reach $500 billion by 2020. IIoT is helping companies operate more efficiently and implement predictive maintenance, which in turn increases their profitability.
On the other hand, as the IoT exploded in prevalence and popularity in the consumer goods sector, serious concerns that security has not kept up have been expressed. In particular, the FTC has not been shy about its concerns regarding the security of consumer IoT devices. As we discussed in a post last year, the FTC released a report on the IoT, ultimately concluding that IoT-specific legislation is premature, reasoning that the IoT is in a relatively early stage of development and there is great potential for innovation. Instead the FTC pushed for industry self-regulatory programs with a focus on guarding against hacking, misuse and breach of privacy, and implementation of best practices for security measures and training, including implementation of access-control measures and “security by design.”
Last month, however, these IoT security concerns became reality when hackers hijacked millions of IoT devices (such as smart webcams, DVRs, and appliances) to help carry out a distributed denial-of-service (DDoS) cyberattack against Dyn, an important internet infrastructure company, that resulted in a temporary blockage of several e-mail systems as well as access to numerous websites, including those of Amazon, Spotify, and the New York Times. Such a DDoS attack is not a particularly innovative or sophisticated type of cyberattack, but the ability of hackers to use IP addresses associated with IoT devices on such a large scale, and to be able to target such a key link in the online ecosystem, are causes for concern.
To continue to highlight this issue, earlier this month the National Institute of Standards and Technology (NIST) released its long-awaited report on security by design in the IoT field. The NIST report, NIST Special Publication 800-160 Systems Security Engineering, addresses the “engineering driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical and human components that compose the systems and the capabilities and services delivered by those systems.” The report states that “engineering-based solutions are essential to managing the growing complexity, dynamicity and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the internet of things.”
It remains to be seen how security practices will be addressed and implemented for IoT devices in the future (whether by industry self-regulation or governmental intervention), but one thing is certain: the IoT is not going anywhere and it is going to continue to play a major role in our lives.