I was at a PETRAS IoT (Internet of Things) event recently and a question I was asked at lunchtime got me thinking.
The question was;
“Do you think cloud is secure”
My response quite obviously was that the question needed a lot more context. Which cloud? In what sense? Secure enough for what? Etc. etc.
We are falling into the same trap of thinking of IoT as a ‘thing’. All IoT devices may share some traits, in the same way as the are certain traits a hosted service must have for it to be called a cloud service.
However all IoT devices clearly cannot and should not be lumped into one big category.
As my interest is in security I’ll use that as an example.
Consider the level of security required around a simple consumer device like a lightbulb. It may have a few capabilities like on / off / dim and potentially being able to purchase one replacement lightbulb to your address. You may also want some features in place to prevent actually logging onto it other than to perform on / off stuff, and to prevent it from enumerating your home network.
Now consider the security required around a medical device such as a pacemaker or insulin provider for a diabetic.. A while ago someone demonstrated they could hack a Bluetooth insulin device and make it release all of it’s insulin at once. Obviously this was done while the device was not connected to a person!
In the above examples, as long as there are some sensible rules in place, the threat vector from the lightbulb is very limited, and the value to criminals is effectively zero.
However in the healthcare example, an security issue could lead to immediate risk to life – imagine the scenario of pay xx bit coins or I affect your insulin supply, or stop your pacemaker.. – Thus demonstrating not only risk to life, but also a clear avenue to profit for the criminal.
We 100% need to work to improve the security and manageability of IoT devices across the board. However we need to start segmenting this into different sectors and levels of threat / risk / value.
This will allow sensible dialogue about what is appropriate for different circumstances. It is likely this will allow faster and appropriately secure progress.
For example if a framework for security and risk management of consumer devices such as lights, fridges, toasters etc. could likely be arrived at. This would allow progress to be made in this space to provide consumers wider benefits from IoT, but without being mired in wider conversations about what is appropriate for healthcare or transport IoT etc.
So this post has two points;
- When something is massive and wide ranging such as cloud or IoT, it is fine to use this as a concept but we need to stop talking about them as a single thing when we think about security etc. as there is not a single solution or set of requirements.
- IoT – we need to define distinct, but not too narrow, use cases, e.g. healthcare, consumer, transport etc. Following this we can agree sensible and appropriate frameworks and requirements for things like security, management, payments..
I’ve been mulling over a high level concept for securing IoT payments and the consumer space, that I’ll flesh out and share in an upcoming post. It would be great to hear your thoughts on this and how we can best manage / secure the various types and use cases of IoT.