Experts: ‘Infinite’ Attack Surface of IoT Demands New Approach

If the growth of the Internet of Things has been a curiosity to enterprises and the IT security industry that serves them, it won’t stay that way for long, experts warned at a gathering in San Francisco.

BrightCove's Guide To The Internet of Things
Interoperability is a major obstacle to growth of The Internet of Things.

The rapid adoption of Internet of Things (IoT) technology is poised to transform the IT industry, vastly expanding the opportunities for cyber attacks against a much wider range of targets: from implantable medical devices to manufacturing plants to automobiles, according to participants in a panel discussion on “Shaping The Internet of Things” at The Amphion Forum event in San Francisco.

While media attention on The Internet of Things has focused on products like the Nest Thermostat and connected automobiles, the IoT encompasses an almost limitless population of devices – many far more mundane, said Ralph Broom a Principal Engineer at the firm Noblis, and one of three panel members.

The Internet of Things, in theory, goes far beyond mobile devices like smartphones to encompass any object that is now disconnected from the Internet, but has the potential to be connected, Broom said.

And, when it comes to the transformative effects of the IoT, many of the biggest changes may come by connecting and beginning to mine data from the constellation of mundane and “dumb” objects that populate our lives, said Maribel Lopez, the Principal Analyst at Lopez Research in San Francisco.

However, securing all those connected devices is a profound challenge and one for which the IT industry isn’t entirely prepared, Lopez cautioned.

“Every time we have a new set of devices, we create a new management infrastructure to deal with it,” she noted. But the sheer scale of the IoT, which may soon comprise thousands or even tens of thousands of intelligent devices within a typical corporate environment will threaten the viability of that model.

Speaking of the coming expansion of the IoT environment, Broom said that the number of potentially vulnerable devices will be so enormous as to, effectively, end the idea that any “perimeter” exists between a corporate IT environment, the physical environment and the public Internet.

“You have a situation where the perimeter disappears and the attack surface becomes infinite,” he said.

One of the biggest challenges will be in the healthcare industry, which stands to benefit enormously from a new generation of intelligent medical devices, some of which will be implanted within the patient, said Dale Nordenberg, the Executive Director of MDISS, the Medical Device Innovation, Safety & Security Consortium.

“The Internet of Things is about the intersection of carbon and silicon, and that will have enormous consequences for human health,” Nordenberg said. “The human body is just another kind of control system.”

Already, patients can benefit from almost ICU-level monitoring at home, with the help of wearable cardiac monitors that send realtime data to care givers, he noted. But there are considerable technical and cultural obstacles that make adapting to the changes wrought by Internet of Things technologies difficult, the experts agreed. In medicine, IT and clinical staff is typically segregated, with little overlap in membership or skill sets. That can create the opportunity for serious errors to happen in the “hand-off” from one team to another, or as a patient transitions from a hospital- to a home setting.

Beyond that, regulations covering medical devices make it difficult for hospitals and doctors offices to upgrade the software that runs them, without falling foul of the FDA.

Even outside of medicine, in fields like manufacturing, the growth of connected devices and mobile computing are wiping away assumptions about what constitutes a critical IT asset and how best to secure it, Lopez said.

“The introduction of things like IoT and mobility force you to address inefficiencies that you haven’t had to address. It’s a complete rethink of how to do business.”

Comments are closed.