Refrigerator Spam And Other Tall Tales: The Enterprise IoT Risk

On Thursday, I will chair an excellent discussion of security and the Internet of Things at the Qualys Security Conference (QSC) in Las Vegas. The discussion has the working title “Refrigerator Spam and Other Tall Tales: Assessing the Real Internet of Things Risk for Your Organization. 

I'll chair a panel at QSC 14 that considers the enterprise implications of Internet of Things technology.
I’ll chair a panel at QSC 14 that considers the enterprise implications of Internet of Things technology.

As the title suggests, we’ll be disclaiming the FUD (fear, uncertainty and doubt) that surrounds much of the IoT and security space, while also highlighting the real risks that more and diverse connected devices pose to enterprises. I’ll be joined on stage by some truly exceptional minds. Among them:

Danny McPherson, the Senior Vice President and Chief Security Officer at Verisign and Jonathan Trull, Chief Information Security Officer, Qualys. (Jon was our guest at the first Security Ledger/Invincea CISO hangout last week.). On stage with us will be Chris Rezendes, the President of INEX Advisors and one of our moderators at The Security of Things Forum.  We’ll also be joined by Chuka Eze, a Principal at Xipiter LLC, which is doing some really interesting work on embedded device security.

Ahead of the panel, I sat down with my friend George Hulme, a long time and well respected security reporter and writer, to talk about IoT and security. We had a great talk, which George has boiled down into a short blog post (mostly by editing out all the journalistic shop talk.) Here’s some of that interview:

George: This promises to be a very interesting panel, Paul. Can you share a little about what you hope to discuss about the Internet of Things?

Paul: It’s a really great panel. The Internet of Things is this monolithic term that we in the media and marketing departments use to paint this trend with a very broad brush. It really is a bunch of different constituent technologies, some of which aren’t really new at all. Examples are embedded devices, or the cloud or sensors networks.

I think what’s new is the application of all of those things together and the big data analysis piece of it that is potentially creating a lot of value for companies. One of the things that’s going to come out of the panel is that there are a lot of industries and verticals that have been doing Internet of Things for a long time, including manufacturing, healthcare, and other industries. They’re kind of far down the road on this.

The “enterprise” is not yet, but you’re going to see the waves of the Internet of Things to start to wash over even rank and file enterprises. The question is how is that going to happen. I think there are a few different contexts or scenarios by which enterprises are really going to be forced to address Internet of Things and make it a part of their overall IT security program.

George: What are some of the technologies in place today that could easily become part of the IoT? 

Paul: One of those that I think we’re going to talk about is technologies or applications like building automation, which includes everything from environmental control, HVAC controls, that are going to become increasingly smart, increasingly hooked up to remote management, cloud-based management system. Those have huge cost savings for building management companies, for the real estate owners or, if the company is in it’s own building, for the company itself. There’s a huge advantage to them.

There’s a huge intersection of building automation with Internet of Things. Everything from door locks to, again, HVAC systems to security. My sense is most companies these days don’t have a firm grasp on the systems that run the buildings in which their company’s located or the connections between those systems and potentially their own network.

We know with the Target hack, it came by way of a compromised account at a subcontractor that was involved with the HVAC and the maintenance of the environmental controls. I think that’s kind of a canary in the coal mine type of situation. I think building automation is one area where even if the company is not going headlong into the Internet of Things, Internet of Things security could really become an issue that the company needs to consider or be aware of.

Stay tuned for more news out of QSC and our IoT panel. In the meantime, you can read the rest of our interview here: Security Labs: QSC Panel Preview: Internet of T… | Qualys Community.

Comments are closed.