Every device connected to the Internet is a potential threat to information security. In the new world of the Internet of Things (IoT), there could be 50 billion connected devices by 2020, up from 15 billion in 2015. Forecasts vary but what is certain is that there will be a dramatic increase.
Manufacturers need to build in security from the outset. Consider cloud computing; a recent innovation where there was an emphasis on security, although some issues did happen. LogMeIn’s Paddy Srinivasan says a big difference between the emergence of IoT and cloud computing is that lines of business were the main catalysts for the cloud. OEMs of physical products have taken the lead on IoT, and most of them have limited IT staff. Security may be towards the bottom of the list of the things to be done, and maybe not on it at all.
When there is a threat you need to know how to isolate it, and to stop if from happening again in the future by applying a patch. Applying patches in the workplace isn’t too difficult at the moment, but in the future it may be more complex as manufacturers of IoT devices may not have provided a process that is easy to use.
The recent Jeep Cherokee hack was a public demonstration that an IoT vehicle can be hacked, with potentially fatal consequences. The attack requires access to Sprint’s network, which connects the vehicle to the Internet. Sprint has now blocked the port used for attacks. A software upgrade is required to fix the problem. So how do you apply it? By going through several steps to download it to a flash drive, and inserting this into the car’s USB socket. There is a good explanation of what is required, and security flaws in the process, at flyingpenguin. This isn’t going to be easy for many people, so a costly recall of 1.4 million vehicles is underway.
At least Fiat Chrysler thought about installing upgrades. Other manufacturers may not have considered this, or it will be so complex that it cannot be done, or have to recall devices. For some, the recall costs could be the end of their business. This is a case of ‘watch this space’ and see how manufacturers take on board the need for security. In the workplace consider IoT devices in the risk assessment. There may need to be some guidance and controls on devices that can be connected and contingency plans if there are security issues.