Reality hits in rush to connect all things
Our dependence on connected systems is outpacing our ability to secure them, finds Chris Gonsalves
In the span of two subway stops on the Red Line in Cambridge, Massachusetts - that scary-smart corridor with Harvard University on one end and Massachusetts Institute of Technology (MIT) on the other - a world-class collection of expertise and enthusiasm for the Internet of Things (IoT) gathered this month to extol the virtues of a hyperconnected world.
At the MIT end, the mood was hopeful in that reserved and understated way that developers, UX designers, scientists, and engineers express tend to be. At several expos and conferences on the campus, dozens of technologies and hundreds of new ideas bounced from lecterns and slide decks to demo sessions and corridor conversations.
Everything is on the table here. The proliferation of sensors and machine data and near-field communications is seen as the key to improving everything from supply chains to the human condition.
This was their week, after all. Massachusetts Governor Deval Patrick said so when he declared 2 to 9 May the "Internet of Things Week" in the Bay State. And what's not to be excited about?
We're living in a world that is expected to have between 50bn and 200bn things connected online by 2020, according to IDC.
Cisco Systems, which is fond of calling the emerging space the "Internet of Everything", claims the market for hyper-connected devices will top $19trn (£11.2trn) in the next eight years.
Across town on the Harvard side, things were decidedly less bubbly. It's fitting that the Security of Things (SECoT) Forum was being held a few a few steps from Harvard Square's historic Old Burying Ground, a place where revolutionary war heroes and Harvard presidents with big ideas rest together with paupers and wags.
Like a cemetery in springtime, the mood at SECoT was sombre, but not necessarily gloomy.
This is where the IoT gets real.
"I really believe that the combination of technologies that we refer to as the IoT is going to be transformative in ways that are profound," said Paul Roberts, founder of IT security news site Security Ledger and organiser of the SECoT Forum.
"I see the net effect of this next phase of the internet as a leap forward, rather than incremental change. But I also think that IoT will create significant challenges in areas like privacy and security. I wanted to do the Security of Things Forum to start sketching out some of the issues and some possible solutions."
And sketch they did with an impressive lineup of security luminaries each bringing their own dose of reality to the IoT party. Most of the 65 folks gathered for this debut SECoT knew exactly where Sonatype CTO Joshua Corman was going when he flashed a pic of a personal insulin pump attached to a patient's abdomen on the screen.
They've all read the stories about how imprudent decisions to add Bluetooth capabilities to such devices have rendered them susceptible to malicious manipulation. Same goes for his pic of the Toyota Prius dashboard.
The videos of the Prius' software-reliant systems being hacked and controlled by security researchers are well known among these folks.
"Our dependence on these systems is growing faster than our ability to secure them," Corman said. "That's how I know we're not getting better."
Corman challeneged to group to replace the word "software" with "vulnerable" and "connected" with "exposed". If you have a software-driven and network-connected toaster, he said, you have a vulnerable, exposed toaster.
The same goes for the proliferation of smart devices that are the vanguard of the IoT movement, from light switches to thermostats to door locks.
"As we bring more of this software and connectivity into our homes, we're inviting the devil into our homes," Corman said. "The very things you use to keep bad guys out of your house can be converted to let them in."
And Corman has a message for the breathless IoT advocates who call such security warnings FUD. "Just because it's scary doesn't mean it's not true."
Corman, a well-known evangelist and thought leader on IT security, is spearheading a grassroots campaign called I Am The Cavalry that is looking to be the voice of reason when it comes to the security in - and public trust of - the burgeoning amount of technology-enabled devices invading every aspect of everyday life.
One of the core efforts of the group is to improve incentives for security by preaching trustworthy technology development to key groups of corporate buyers like hospitals and utility companies rather than to the developers and manufacturers themselves.
Corman's message to these stakeholders in the IoT: "You need real facts to make real risk-reward decisions."
In fact, that business-focused message permeated much of the conversation at SECoT, where even the most religious of security advocates understands that for security to take hold, it must hold some financial value for someone in the technology cycle.
The real challenge, they say, is to tighten security measures before a vulnerability causes an incident that forever damages the trust required for the IoT to realise its formidable potential.
Cisco, one of the SECoT sponsors, has been trying to make this case for several months, putting up cash for its IoT Security Grand Challenge, a chance for the global security community to propose practical security solutions across all of the markets affected by the IoT.
Cisco has invested $300,000 in prize money for awards of $50,000 to $75,000 for up to six recipients. Cisco's team of security experts will evaluate proposals based on feasibility, scalability, performance and ease of use, as well as technical maturity and ability to span multiple vertical markets like manufacturing, transportation, healthcare, oil and gas exploration, or utilities (smart power grids).
"In the healthcare sector, it's easy to imagine how internet-connected devices and systems are revolutionising patient care," said Chris Young, senior vice president of Cisco's Security Group.
"In the transportation sector, technologists are already connecting vehicles and their subsystems to the internet. It is also, unfortunately, too easy to imagine how these world-changing developments could go terribly wrong when attacked or corrupted by bad actors."
Few people, least of all those at Cisco, want to see a potential $19trn market put at risk because security got short shrift, with devices left unpatched and the IoT consigned to an unmonitored badlands for hackers and cyber criminals.
That said, a survey by SSH Communications Security and Forrester Consulting has found the rise of machine-to-machine (M2M) connections in datacentres across most industries has far outstripped the ability of organisations to secure them.
The resulting misalignment of security and compliance priorities places these organisations at risk, the survey found.
These are issues that will need to be sorted out soon if IoT is ever to realise its potential. They are also issues where the channel might gain a foothold in this emerging space and take advantage of the opportunities.
Getting from security need to business incentive won't be easy, according to Dan Geer, the noted security expert and technology advisor to US government intelligence agencies who now serves as CISO for In-Q-Tel.
Geer told SECoT of the difficulty of getting investors to bite on security measures that on their face appear to cost more money than they make.
Geer also advocates embedded systems that discover and root out their own problems as a priority over those built merely to defend themselves. In the battle between increasing the time between incidents and decreasing the time to remediation, "I think we should be aiming for the latter", he told SECoT attendees.
"Security is the absence of unmitigatable surprise. My design goal is 'no silent failure'."
It the end, it's not about raining on the IoT parade, said Roberts, but moving the conversation into a more prudent and defensible space by bringing the vendors and the often insular communities together.
"I think that people are absolutely right to be gung-ho about the possibilities of the IoT," Roberts said. "I went to the IoT Olympiad on Sunday and saw some of the presentations, and they're really impressive. But if you don't start raising your hand and saying 'ahem', then [security] considerations don't happen.
"My real hope is for cross-pollination between folks within the IT security community and folks in organisations that are really at the forefront of the IoT revolution," Roberts added.
"I want future SECoT to be more interactive and hands on [with] more opportunities for folks to interact in small groups, experiment, learn, et cetera. I think that at this early stage in the evolution of the IoT -and the IoT security space - that's really what we need to get ideas and conversation flowing."
Chris Gonsalves is vice president of editorial at Channelnomics
Editors Note: This story was updated to include comments from the SECoT event organiser.
For more US-focused channel coverage, see www.channelnomics.com