The world is moving to a highly connected framework where entire segments of our home, personal life, and business are and will continue to be connected in an extremely automated, machine to machine fabric where actions are taken in milliseconds with minimal human intervention. Over 100 cities across the world in places like Dallas, Chicago, Barcelona, Dubai and elsewhere are moving forward in an Internet of Things (IoT)/Internet of Everything (IoE) concept known as smart cities. More than just offering Wi-Fi hotspots in public places, smart cities also include connected traffic management systems, public transportation, lighting management, environmental monitoring, and public safety and security systems all connected to an operations center. Related developments include the smart grid, where homes and businesses are connected with smart meters, to monitor energy usage, outages and make adjustments accordingly. Consumers are encouraged through tax incentives to become part of the related connected home construct, where our use of energy and other resources are automatically monitored via Wi-Fi enabled thermostats or utility-supplied smart meters. Businesses are likewise connected, not just at the building infrastructure-level where HVAC and lighting systems are connected, but also office machines, security systems, even commerce systems. In the healthcare space, connected heath components connect us not just in the hospital where we might expect that to be the norm (and we might even expect it to be secure), but even remotely where our pacemakers or implanted medical devices have the capability to be “wirelessly” connected for purposes of remote monitoring, telemedicine, clinical trials and the like.
Unfortunately, all that traffic is riding on the same Internet where we get our email, watch the latest series on our favorite streaming service and shop for everything from clothes to cars to coffee. Estimates are that the Internet worldwide will cross the 25 billion connected device threshold sometime in 2017, across 4 key elements or domains: (a) people – connected across the Internet and sharing information and activities on social platforms like Facebook, Instagram, Waze etc.; (b) things – physical sensors and devices generating and receiving data, with examples including smart thermostats, smart TVs and fitness devices; (c) data – today, data flows automatically from device to application and is analyzed behind the scenes to enable decisions, actions and controls; and (d) processes or applications – leverage the connectivity between people, things and data to make things happen.
So why do we or should we care? Don’t get me wrong, I like the idea that Waze can automatically route me around traffic jams in the D.C. area, as they occur, each day. I don’t have to think about finding an alternate route; I can let the wisdom of the crowd and social media work on my behalf. However, while we now have decades of experience in securing our desktops, laptops or servers, would anyone honestly say that there is no risk from a cyber perspective? Why would we believe that a company that has been manufacturing thermostats or refrigerators or any other device for decades can suddenly become a cyber expert with their latest product release? In October, we saw a “massive” denial of service attack when a botnet consisting of ~150K webcams and DVRs sent 1.5 terabits of information at a single website to take it down. We could say that it’s a one-time event, but we’d be ignoring the fact that the botnet used represented less than half of one-tenth of one percent of all connected webcams and DVRs, so unless we somehow believe that the other 99.95 percent of the other devices are secure, then the attack surface for just that class of device is huge.
So what do we do? First, forgetting about driverless cars, or drones, and focusing just on what we currently have, we must understand both personally and professionally, the risk profile for existing devices. Second, adopt a threat-based approach to devices (identify -> protect -> respond/recover). Do you know how many IP-connected devices you have at home or at work? Are you sure? If not, then third, assume zero-trust across the enterprise (i.e., protect data in transit, at rest and during processing). Numerous studies have shown that the gap between an individual or a company’s perception of their security posture, and where they really are as measured by independent parties is stark. In the oil and gas segment alone, although 42 percent of the corporations believe they are well prepared, only 15 percent really are. In the utilities market segment, 38 percent believe they are well prepared, but in reality, only four percent really are. Said another way, using information provided by utility companies, the only reasonable conclusion you can draw is that 96 percent are vulnerable, or very vulnerable to a cyber-attack.
Absent a catastrophic attack on the IoT/IoE, our nature and our history suggests we will forego the necessary investment and precautions to increase our cyber security posture. Arguably, we are closer than we think, and certainly closer than we were a year ago. As every nation state and malicious actor continue to invest in machine learning or artificial intelligence, the day is not far off when the convergence of wireless technologies, analytics as applied to artificial intelligence, and the IoT will be applied to cyber warfare. The question remains, on that day, will we be safe?