That is a common joke from friends in and out of the IoT industry, and personally I consider it a deflection from the troubles of Equifax, Uber, etc. These are cases where the back end systems were attacked and not some sensor or module that represented the breach.
Now don’t get me wrong we have added a great deal of connectivity to what traditionally were closed systems. So there is a need for a security audit on IoT. To that end, Io T Evolution has invited all Chief Security Officers (CSO) and Chief Information Security Officers (CISO) or there equivalent to come to our IoT Security 4.0 Conference for free. You just have to be verified after you fill out this registration. Attendance is good for 10 PDUs, which can be converted into 1 CEU.
The reason we are inviting the Security officers is to make sure that they don’t delay the deployment of IoT Solutions. A friend always says that repetition is reputation, and with all the noise about IoT security you would think that IoT is the cause of everything from global warming to robo calls.
Let’s look at where real breaches occur and ask the most important question about IoT Security, when it happens what will they have access to?
Lets start with Industrial Espionage. There are companies in this world that may look to gum of the works of their competitors. A worm like Stuxnet screwed up the Iranian nuclear program by attacking the PLC, While this worm was made (allegedly) for that single purpose, I am sure it has wormed its way into other systems more likely through inadvertent use of USB sticks in the office. Now the purpose of the worm was to slow production, so besides checking the code of every PLC the use of IoT Analytics would be a wise move.
However, my general sense is that this kind of Industrial Espionage has more effort and less value than other strategies.
The better objective is to find a way into companies back end systems and copy, erase or steal their valuable information. While I still think servers are the more the likely and easier target, the question with IoT should be, is the system contained and closed and when does it touch other systems. Once again a PLC normally has limited functionality so it would not be a smart place to attack, but it could be an entry point. Locking the connectivity and containing the flow of communication should be a concern.
Next we come to Telematics and Self Driving Cars. This can be very scary and we have seen hackers successfully attach a vehicle, just to prove they could. Now there are over 200 sensors in most models of cars these days and more than double that amount of sensors as you go the higher price cars. However, the sensors themselves are pretty solitary in purpose, engine diagnostics, tire pressure, etc. The honey pot here is the console and once again the lock down and assuring that it is a closed system is logical security strategy. In this case, you trust the automaker to make a safe car, so it’s logical to think they will make it secure.
Next we have the smart home, and here I have to admit that I see reasons to be concerned. So many devices are out there and so many “things” are intelligent that like a clam, one can cough and give them all away. In addition, these systems are not tested for compatibility so feature interaction itself can be a problem. However, once again the problem is on the intelligent side of the sensor and not the sensors themselves.
Now with all that said, there has been a lot of effort to make sure that security has been properly examined and to be clear IoT Evolution Security summit has over 10 hours of security training, for which your attendance generates 10 PDUs which is the equivalent of 1 CEU.
As it relates to IOT it is better training than most security classes and covers everything fro Blockchain to Zombie systems.
Phillip Crosby used to say “Quality if Free” to make the point that if you did not focus on quality the errors would cost you. I would submit that IoT Evolution has made Security A Priority and it’s almost free (you still have to travel).
Given the level of expertise from the community speaking at the event, I would think if you don’t hear the answers to your concerns about IoT Security you would certainly find the people who can answer them.
Once again here is the registration link.