Remember That IoT Is Physical—Not Cyber
Business executives and board members are understandably excited—perhaps even giddy—about the potential for huge business upsides resulting from new Internet of Things (IoT) projects. And why not? IoT’s potential for increased economic value is both inspirational and pragmatic; the technology’s contribution to global economic value has been estimated at more than $11 trillion—yes, trillion with a T.
But let’s not lose track of an irrefutable and critical aspect to ensuring a safe, secure IoT: It’s much more than creating, capturing, and analyzing tons of new data from billions of connected devices at work, at home, and anywhere we play, shop, or interact with others. It’s about securing critical infrastructure that ensures our water is clean, our election results are legitimate, our traffic lights work properly, and our physical health is protected.
In other words, if my laptop is compromised, that’s an inconvenience—maybe a big one, especially for my company, but it’s highly unlikely to affects entire communities, countries, or planets.
But if an IoT system ensuring that structural integrity of a major dam fails, people die.
That’s why business leaders—C-suite executives, CIOs, CISOs, board members and other decision-makers—need to keep in mind that the most important IoT solutions aren’t cyber. They’re physical.
Most security professionals are still figuring this out about IoT. They are just starting to understand that securing IoT systems is very different from securing computers. Until we started using computers, networks, sensors, and other technology to secure critical infrastructure, data security was like a video game. You monitored networks and data traffic for anomalies and aberrant behavior, and your systems detected, prevented, and remediated problems. Yes, data breaches caused headaches and cost money, but for the most part no one’s physical safety was compromised. No longer.
IoT is about people. The technology was created, in large part, to do things for us at work, at home, and in our communities. It allows us to open valves in oil rigs, pump blood with reliable, repeatable precision, and make sure our cars don’t crash into each other at high speed at busy intersections. It involves real lives and real people; damage caused by IoT security breaches is actively harmful.
Don’t take what I’m saying as proof that I’m a Luddite. Far from it; I think IoT is an exciting, game-changing technology that already is improving a vast array of business functions and improving our quality of life. But we need to think about IoT security in different ways than we do cybersecurity that defends us against data loss, ransomware, and leaky endpoints.
One development that really hit home for me was reading about a toy manufacturer that had to recall an IoT-enabled talking doll because they discovered that children’s physical locations were being identified by an internal sensor, making it easier for potential predators to track children’s whereabouts.
Think about it: So much of our critical infrastructure is being controlled by IoT that it’s easy to envision a growing array of physical risks in the event of security problems.
Water purification systems? Check.
Kidney dialysis machines? Check.
Your car? Check.
Electric grids? Check….and on and on it the list goes.
This puts the onus on business leaders, technology executives, security professionals, and any businessperson looking to integrate IoT into their processes, products, and services to re-imagine and re-engineer their approach to IoT security.
- Just because you can slap a chip or sensor on something doesn’t mean you should. You need to think about the pros and cons of “IoT-izing” what you do or what you sell. And this requires a sober, comprehensive analysis of your security vulnerabilities, both cyber and physical. IoT might be a huge net gain for a particular use case, but you’re doing yourself and your organization a big and potentially dangerous disservice if you don’t do an honest risk assessment.
- Everyone has a stake in IoT: Make sure all voices are heard on physical security, not just cybersecurity. Don’t fall into the trap of treating IoT as a technology issue. Of course, your CIO, CISO, CTO, and other technical leaders offer important points of view and expertise, but business leaders and board members need to have skin in the game too. You never know who is going to be sitting at the table when an exciting IoT project is proposed and who will say, “What’s our legal and moral responsibility if a heart patient’s defibrillator chip is disabled by a hacker?”
- Identifying potential IoT risks must become collaborative among an enterprise’s full ecosystem. Organizations must share data about IoT risks with suppliers, trading partners, customers—even competitors. With tens of billions of new devices becoming part of the IoT phenomenon every year, risks are multiplying at astronomical rates. No organization can afford to fight the good fight without a lot of help.
Remember: When it comes to IoT, real lives can be affected by threats. The sooner everyone acknowledges that and plans accordingly, the better off we’ll all become.