IoT Security – We’re Doing it Wrong

I spend a lot of time at information security industry events. It’s part of my job at Cisco -visiting customers and attending and speaking at conferences. And these days, many of my conversations are focused on issues surrounding securing the Internet of Things.

By and large, I enjoy this immensely. But my experience also gives me a vantage point from which to observe the cyber security and IoT security community broadly. What I’ve concluded is this: ours is a community that is made up of highly gifted and intelligent professionals with diverse, but also specialized skills. Unfortunately, ours has been – and continues to be- an insular community.

Marc Blackmer, Cisco Systems
Marc Blackmer is a Product Marketing Manager for Industry Solutions at Cisco.

I’ve come to realize that this pronounced and endemic navel gazing does us and the general public a great disservice. In fact, it may make the job of not repeating the security mistakes of the last two decades more difficult. Can we change this? I believe so. But first we need to address some underlying problems. Among them:

I. Securing the IoT is a technology issue and a “people” issue

The Internet of Things is a vast space that encompasses both traditional information technology, embedded- and industrial control systems technology as well as cloud computing and data analytics. It shouldn’t surprise you to learn that securing the IoT is a complex problem, as well. It involves both technology but also “people” problems. The adoption of IoT will demand new tools and defenses, its true. But it will also demand changes in the behavior of countless individuals, including more attention to security in the design, development and deployment of IoT products.

II. Convenience (still) trumps security

While our community recognizes the vital importance of securing intelligent devices and critical infrastructure, the truth is that convenience still trumps security in the vast majority of use cases. Consumers of IoT technology are drawn by the promise of greater productivity and convenience. Asking them to know about -let alone have an opinion on – the security of data communications to and from those devices, or application security is unrealistic and invites lax behaviors.

Back when RIM BlackBerries were making their debut, I worked as an IT manager at a hospital. Our resident security guy (yes, there was just one) wouldn’t allow the Blackberry phones to access network resources. Regardless, the devices gained popularity with the doctors who created a “shadow IT” group to support the devices and applications on their own. Ultimately, we in IT had to decide whether to stand on principle and continue a standoff that jeopardized the security of the network, or to become quicker in supporting what our users needed. We chose the latter.

Adoption of IoT technologies will be no different. The public is already adopting many of these products – from “wearables” to IP-enabled Drop Cams – despite our concerns. As cyber security practitioners, we will be quickly bypassed if we expect the rest of the world to wait for us to get comfortable with new technologies or settle on secure standards, frameworks, interoperability, etc.

III. We have self-selected

Cyber security is important to us because we are cyber security professionals. The people we are working to influence and protect have other priorities. In short: we’re doing it wrong. The people we should be most concerned about influencing are not those in the audience at DEF CON, Black Hat, B Sides or any of the countless security mini-cons that are held around the world. The people we need to influence aren’t at our events. They’re the people who aren’t yet convinced of the threat, who don’t see value in cyber security or think it’s all just FUD (fear, uncertainty and doubt).

Moving Forward

In the end, the public doesn’t need to know how the sausage is made, just that it tastes good. We don’t need and shouldn’t try to make cyber security experts of the world. Rather, we need to instill good habits in the areas where they matter most. Here are some suggestions for doing that:

  • Stop being insular. We need to re-frame our technical appeals for cyber security from “here’s why you need to do this” to “here’s what’s in it for you.” We are competing for attention and can’t assume that our point is obvious to them just because it’s obvious to us.
  • See ‘cyber’ in a broader context. Security isn’t as important to the rest of the world as it is to our community. In most development organizations, cyber security is seen as an impediment to timely and affordable product development. In those environments, our advise will be disregarded irrespective of our capabilities or level of expertise. That’s sad to admit – but it’s the truth. To gain acceptance of our ideas, we need to broaden the conversation by taking concepts such as user-centered design and extending those principles to promote secure design, development and deployment.

In the end, the rest of the world needs to understand the benefits of securing the IoT in a way that’s relevant to them. I do think that we can acceptably secure the IoT, but I think it’s vital that we take the task on with realistic, pragmatic, human-focused approaches.