You can’t turn anywhere without hearing about the Internet of Things. But does all of the hullabaloo we hear about Internet connected automobiles, home thermostats, lighting, refrigerators, and even medical devices mean anything to enterprises, or is the Internet of Things (IoT) a consumer trend?
Does IoT mean anything to enterprises and their ability to produce and innovate in the years ahead? And if they embrace the IoT, what could it mean to privacy and security? It turns out that it probably means more to security than many IT and security professionals are considering.
At the Qualys Security Conference recently, I had the pleasure to speak with Paul Roberts, the founder and editor-in-chief of The Security Ledger, before his panel Internet of Things: Assessing the Real Risks. During that discussion, Roberts explained how the IoT is really the confluence of many elements that have been underway for some time. These include sensor networks, mobile devices, cloud computing, and big data. But just because none of the specific ingredients are new doesn’t mean that the changes ahead as a result of their integration into IoT devices and connections won’t be profound.
In fact, we’re most likely to soon be up to our noses in devices that are constantly talking to us, as well as with each other, and constantly reacting to the data received and shared.
A quiet tsunami of devices
In fact, the encroachment of these devices into the enterprise is already well underway, and some of the IoT panel attendees explained how IoT is already taking them by surprise. For instance, many IoT devices are being connected without the involvement of IT. One of the most common connections involve building automation systems, remote device, and systems management, including those for printers, photocopiers, and many other devices. All of this increasing connectedness creates risk.
That risk is not just from new devices electronically listening, sharing, and reacting to commands – but also from the vendors and contractors who also are communicating with these devices. One doesn’t need to look any further than the Target breach to see how such remote access can spell big trouble if not properly managed.
We can argue about how quickly enterprises get deeply IoT-connected, and to what extent – but few would argue that it’s not going to happen.
Signs of growth in IoT and parallels to the BYOD risk
To get an idea of how swiftly this will move, the research firm International Data Corporation (IDC) expects the global IoT market to reach just north of $7 trillion by 2020. According to IDC, that market last year was already about $2 trillion. IDC analyst Vernon Turner was quoted here as saying that IoT device growth is not just about consumers wanting Internet-connected light bulbs, but that enterprises are expressing explicit interest. "Businesses are taking the necessary steps to gain a deeper understanding of IoT and the overall value," Turner said.
Enterprises may very well be assessing the value of IoT, and hopefully some also are looking at the risks. I don’t doubt it. However, while they evaluate the risks and benefits, IoT-enabled devices are already streaming onto the network.
Roberts cited an interesting example when we talked. He explained about an executive from a Massachusetts-based commercial water valve maker who was talking at the Connected Cloud Summit. The company makes valves used specifically in fire extinguishers and for other high-pressure use cases. It just so happens that these devices are Internet-connected and the valves that this company manufacturers are on nearly two-thirds of all the fire extinguishers sold in the United States. This company obviously sees the benefits of IoT, and wants its valves to be able to interact with large building management systems. Or, like many companies, it sees the benefit of having the devices remotely monitored and managed.
However, I wonder how many IT and security professionals at the companies that are buying these high-pressure valves have any idea that they are connected to external networks. Whether or not these valves are being integrated with enterprise building control systems doesn’t matter – the vendor may have access and one day someone is going to decide to turn on that functionality.
This quiet encroachment is a lot like the mobile Bring Your Own Device that took off as a significant IT trend shortly after the introduction of the iPhone.
There are probably many other types of IoT-capable devices connecting to the network: light bulbs, TVs, alarm systems, and even health monitoring systems. And do you know how they managed? With smartphones, tablets, PCs, or notebooks that also are network connected. As people bring these new devices into the office and connect them to the enterprise network (oh, yes, they will), they will be creating a new vector of risk that the enterprise must contend with.
Are these devices communicating with only other authorized and authenticated users and devices? Can someone with bad intent step between the communications of these devices and somehow get them to do something unintended? It’s impossible to tell if you don’t realize they are there.
While this is not the most pressing of issues that enterprises face today, it will be a big one pretty soon. BYOD was a relatively small but important issue in the spring of 2007, but by the end of that year, as the iPhone took hold, BYOD became one of the most important security issues. And, much like late 2007 and BYOD, the time has come to take a close look at these new network-enabled devices coming onto the enterprise network. That way, when the attacks do come – and they will – you won’t be caught by surprise.