Cool Trumps Safe.

It’s not just us. We’ve been harping for months now that the impact of IoT on information, data, and cyber-security will be much more severe than we have experienced thus far with traditional information systems. The FBI's chief information security officer just sounded the same warning and she is worried.

FBI CISO Arlette Hart’s keynote address to the 2015 IoT Security Conference in Boston last week demonstrated that the growth rate of the Internet of Things (IoT) is outpacing current IoT security efforts.  Her speech was a clarion call to action for enterprises to take this emerging threat seriously before disaster strikes. With technology, "Cool trumps safe," she said. "The capabilities, themselves, are almost always developed without security in mind. We need to change that for IoT."

What’s the big deal?

At its most benign threat level, IoT introduces an overwhelming amount of new devices, data, network traffic and protocols that will have a profound impact on IT and cybersecurity strategies. IoT data poses a significantly more dangerous threat because it is physical in nature and will change the impact of breaches on consumers and end users. With recent retail, hospitality, health care and financial data breaches, Hart said the impact has been "relatively light" on customers and end users. The end result might be that they have to change credit cards or passwords or their personal health information might be out on the web somewhere.

But in the case of an IoT data breach, sensitive data is going to be interconnected with personal devices, like door locks, cars, baby monitors, thermostats, lights, security cameras and other household appliances. Cyber-criminals using that combined data will be able to create heretofore unseen scenarios where physical danger, theft and extortion combine for truly serious consequences. IoT breaches will ultimately be used to cause physical harm and exploited by state-sponsored cyber-attackers to wreak havoc.

Last year, Hart got a new credit card and credit monitoring following a breach of her own credit card data. And, in the larger context, it was no big deal. "But when we move into IoT, I think the world is going to change,” she said. “I think it's going to change to the point where, when compromises happen, people are going to really feel it." 

Hart went on to point out that it's not just outsiders that enterprises need to be wary of. She said, "Malicious insiders are an internal threat to your infrastructure. The inadvertent insider is one of the biggest causes of compromise. You trust our employees? Really? You have 40,000 employees and not one of them is bad?"

Most of today’s IoT devices have serious vulnerabilities and no embedded or native security protection. However, there is also a darker side to IoT, related to security and privacy. A good example is the recent case of hackers taking control of a car and crashing it into a ditch by remotely breaking into its dashboard computer from 10 miles away. That this is not an isolated incident was documented in a study by PT&C|LWG Forensic Consulting Services, which outlined that many other car makers’ were susceptible to being hacked. This is just one illustration of the tip of the iceberg when it comes to IoT’s security risks.

According to Robert Bigman, former CISO at the Central Intelligence Agency (CIA), IoT devices that manage personal health and safety systems will become the next ransom-ware gold mine. Like they have for the Bring-Your-Own-Device (BYOD) phenomenon, businesses need to adapt their risk management practices and broaden the scope of risk assessments to include all connected devices.

 If an employee’s smartwatch can be leveraged to spy on the corporate’s WiFi passwords, the watch suddenly falls into the scope of an organization’s risk assessment. In this context, one of the leading challenges for organizations will be how to store, track, analyze, and make sense of the vast amounts of data generated by including IoT in the risk assessment process.

So what can we do?

Prohibiting new IoT technology is obviously not the answer. The business risk of not embracing the Internet of Things — and falling behind competitors — is not an option. In the workplace, IoT devices can be a great boon for businesses, bringing greater accessibility to information, greater efficiency, improved services and increased productivity. Though it runs counter to everything I believe, the only solution is for new standards and government regulations to be established that require the use of trusted networks and operating systems. This is (perhaps) the one place where we need a centrally managed and controlled infrastructure and set of standards, regulations and protocols to force vendor compliance.

There are several initiatives (e.g., Cloud Security Alliance, Open Interconnect Consortium) working to create frameworks to secure IoT ecosystems right now, and this activity is promising. And we will need an accepted foundational standard to ensure the interoperability required to achieve this outcome.

Until we get there, IoT vendors need to incorporate security at the design phase of products to at least make them less of a threat when connected to networks. In addition, they need to consider immediately what regulations devices will have to comply with so those requirements can be baked in and not added at some downstream later date. And in the meantime, device communication channels should at least conform to standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks. But, unfortunately, waiting for the Federal government to intervene will be way too late.

"This is only going to happen through self-regulation because, frankly, you are all moving way too fast for the government to be able to catch up with you," she said. "Self-regulation is critical to this [IoT security] effort."

"The threat vectors are increasing and they're pervasive, and they're going to keep on coming, and they're going to accelerate because this is such a rich field," Hart said. "IoT compounds the security challenges that we already have."

It is going to be up to us to get this done. If we can’t, watch out world!