In 2014, the Internet of things (IoT) moved beyond a buzzword; it became a security risk.
Gartner forecasts there will be almost five billion connected devices by the end of this year and 25 billion in 2020. However, the deployment of cost-efficient sensors and devices that has allowed the IoT to grow will also make its network less secure, creating major vulnerabilities in the cyber ecosystem and possibly becoming a counterweight on the U.S. economy.
More companies and brands than ever are recognizing the value of networking their products while, at the same time, developers are conjuring up innovative new ways to make user experiences more rich through the use of IoT devices and sensors.
Networked devices that are currently in the marketplace include home and office mainstays such as door locks, thermostats, picture frames, garage-door operators, and audio and video systems.
But at the Black Hat conference this past year, hackers compromised the Google Nest thermostat to reveal the weaknesses of these connected devices and appliances.
As the IoT market matures, these widely deployed and low-cost sensors and devices are less likely to be viewed as worth continued maintenance. Offering a constant stream of security patches and updates to keep low-cost devices safe and functional for the long term requires money. If vulnerabilities are discovered, patches or updates might be issued, but only in the first year or two. The vendor expectation is that users will need to buy a full replacement or live with the risks — not to mention that users are not very likely to manage patches and updates for non-critical devices.
Cheap and vulnerable devices will linger on networks like ticking time bombs, and the choice will be to either replace them or tolerate them with their liabilities.
The biggest challenges for home users or business IT departments are managing the patches, security controls — including firewall, authentication, and intrusion prevention systems — and configurations, which are the internal settings of the device. With more connected devices entering the system, it is nearly impossible to keep track of all the configurations and updates for every device in these environments.
Simply tolerating the risks of low-cost devices could incite major long-term challenges for our economy.
We could begin to see a steady stream of digital annoyances and service disruptions when hackers use these devices to commit crimes or other forms of “vandalism.” Additionally, growing reliance on data emanating from the IoT, whether pertaining to home maintenance or business operations, requires reliable devices.
The high rate at which devices are subverted by security flaws, or simply made obsolete because of a lack of vendor support, will cost the economy greatly. We must acknowledge the risks and adapt before they become truly detrimental to our personal and professional lives.
Adapting to this new environment will require new services. While businesses and security practices will not undergo rapid transformation, we will see long term changes in how we handle the security of these IoT systems and devices. We can expect information security departments to move from hiring security experts to hiring security services from the consumer level to the largest enterprises. The complexity of managing IoT security controls will require dedicated services that are provided by organizations actively collaborating with manufacturers and vendors.
We don’t want to lose the benefits of the IoT, so we must ensure its security to ensure its value.
Michael K. Daly is chief technology officer for cybersecurity and special missions at Raytheon.