Read Part 1
“Will the IoT be secure?” It’s a loaded question, but one that I hear often.
The honest answer is probably “no.” In the same way that life and the internet aren’t secure — the Internet of Things (IoT) won’t be secure.
But that’s not a very satisfactory response, so let’s explore this further. What are the parameters of IoT security? How do these parameters interact, and what can be concluded? Specifically, we’ll look at these three factors:
- The cost of IoT security
- How security changes over time
- The scope of IoT security
The economics of IoT security
Let’s start with a cost/value perspective. The typical scenario (and anyone who’s been in the security business will recognize this) is that everybody starts out wanting “the best” security, but that position usually softens pretty quickly if it comes with a hefty price tag. Security follows the usual economic laws: the higher the security, the higher the cost. And cost includes not only the security measures themselves, but also the convenience toll: multiple password entries, repeatedly requested, quickly expiring.
So what’s an acceptable cost? In accordance with typical economic laws, the cost of something should be in balance with its value. So the cost of the security measures should be in balance with the value of the item that’s secured and the risks associated with a security breach. Logically, then, the higher the value of something and/or the larger the risk of a security breach, the higher the price that someone should be willing to spend securing it.
Logical, yes — but it isn’t quite that simple. How do you determine the value in an IoT scenario? It’s a simpler question when asked about something that can be replaced with a single trip to a store, but more difficult here. Ask a museum director for the value of a painting, or a parent about the value a child home alone. And what about evaluating the risk? Spend a few minutes reading about the continuing string of data security breaches and it quickly becomes clear that we’re underestimating the risk.
Technology progress: The risks of more and more complexity
The second parameter is technology — or to be more precise, the progress of technology. Something that’s secure today can be broken tomorrow, and something that was out of reach in the past is solvable today.
Over the last few decades, security has been in a race with hackers. System complexity, and the lack of absolute end-to-end oversight, also play roles. Systems today are becoming so complex that holes in security are easily introduced — and when they’re identified, those holes need to be rapidly patched. Some suggest that this increasing complexity, and the costs associated with it, are the largest risk for being able to build secure systems. In any case, the progress of technology at any given moment is an important factor in overall IoT security.
The scope of IoT security
This is a tricky one. There is no scope around security as a whole, no level playing field. Every security solution is an answer to a (possible) particular security breach, and it assumes that breach plays by certain rules, staying within that issue’s scope.
The problem with this, and as perhaps best said here, is the only real rule is that there are no rules.
Let’s look at a few examples:
- Security systems. Consider a house with a security system that calls a dispatch center when an alarm is triggered. When the power is down, the security system won’t work. Adding a battery backup would work, unless the power is also down at the dispatch center. And even if the security system is working as expected, the truth is that the house still has windows that can be broken and items grabbed and stolen before security personnel can arrive at the home.
- Wireless technology. All the data going through the air is fully encrypted. But someone recording the encrypted data (like a username and password) and then replaying that data will gain access. No need for decrypting.
- Wi-Fi patterns. Or imagine that someone is listening to the Wi-Fi traffic of a house for a few days. Soon it would be easy to know when someone is in the home — or not. In other words, even with all of our secure Wi-Fi connections, we’re still essentially broadcasting information about when and if we’re at home.
Pulling it all together
Even these simple examples should give you a feel why security is such a challenging issue — and internet security in particular — and why there’s no reason to think it will be any simpler with the IoT.