IoT Noir: Instruments of Death

‘first comes the OOHing and AHHing; then comes the running and screaming.'

Opportunity Rings

We are now at the beginning of the largest expansion of network and systems; one that follows from the rapid expanse of the Internet but will be orders of magnitude greater and faster.  In five years, the number of connected devices is expected to grow from 30 Million to 30 Billion. This is called the Internet of Things [IoT]. It is occurring as more and more devices and systems are enabled with processing control systems, data collection capabilities, and network connection. Outside of hard science fiction, it is difficult to conceive of the transformation this will make in our society. It presents extraordinary opportunities for wonder and productivity.  It is also, potentially, the worst thing we can imagine short of the dreaded Singularity.  Paraphrasing Jurassic Park’s systems scientist Dr. Ian Malcolm, ‘first comes the OOHing and AHHing; then comes the running and screaming.'

Connected, interworking product systems of personal, portable blood monitoring and insulin pumps exist today and soon will evolve to become an autonomic pancreas for patients in need.  This advance greatly improves the quality of life of its users. It is but one of countless device groups in the future IoT.  The infrastructure that supports IoT is just emerging.  Inexpensive small processors, cheap Wi-Fi networking chips, sensors, and IPv6 make it possible.  Technologies to manage this growth are also emerging, showing a first stage of technology maturity. Deployment of first Fog Computing to manage data streams and later Swarm Computing to allow autonomous local networks will allow reasonable control of the data and network impact.

There is no doubt we are only on the leading edge of the IoT.  The growth rate is around 20% per year and still increasing: millions of devices now, 10s of billions in 5 years, 100s of billions in 10 years.  Market value estimations only argue about how many trillions of dollars will be generated. Still, the growth of the IoT has a self-limiting factor.  It can only increase this fast until every new device we manufacture is connected.  While the growth of IoT is exponential now, as new devices are introduced, it will eventually become a logistical curve, its rate of growth reducing when only the already connected device types are replaced. Also, autonomy in devices, as each type gets smarter and more self-reliant, will reduce their need for continuous connection. The development paradigm that ‘devices may fail but the system recovers and remains stable’ will help contain breaches, localizing them.  Unfortunately, the growth of risk associated with the IoT is not so limited.

Dark Alley

We are moving into a darker world akin to the rise of piracy at the explosive opening growth of maritime commerce. This includes developing threats to the data collected (stolen or altered), threats to the controlling metadata (altered), openings in physical security of devices (hacks), and disruptions in the organization of systems of things (denial of service, failures in communication, failures in infrastructure). In some ways this parallels the first introduction of the firearm as a great force leveler and disruptor of the in-place authority structures. Cyber-sabotage and cyber-espionage attack technologies are proliferating. The threat environment will grow with the following:

  • Introduction of new bad guys:  organized cybercrime gangs, state sponsored cyber-attacks.
  • Introduction of new motives:  thievery, ransom, terrorism, industrial espionage, market intelligence, forced technical detent.
  • Introduction of new tech: enhanced hacking techniques, new devices with new exploitable openings.
  • Continued lack of public will and executive policies that toughen infrastructure.
  • Difficulty in developing systems to provide for organization and management of these new IoT networks.

Cisco’s estimates of IoT value “discounts future cash flows due to uncertainty around privacy and regulatory issues”[2], aka, security threats are becoming a significant limiter for the corporation’s exploitable value from the IoT. Regulatory compliance will add significant costs, skimming IoT potential value, but may help weed out the low-hanging-fruit and starve the marginal hacker.

So how can the security of 100 billion devices be maintained against increasing black hat numbers, better organized operations, and a growing technical sophistication of threat generators? What does our story’s security PI do?

Pounding the Pavement

Fortunately, the technology seeds and emerging operational models are present that will allow companies to meet this challenge.  But they must be developed, acquired, and deployed rapidly to counter a rapidly increasing threat profile which itself includes growing adaptive capabilities in the bad guys.  It has become a race, dollars to be made against dollars to be lost; the economic weather is getting pretty uncertain.


Latest Updates