When night falls at the Amundson-Scott South Pole Station it is a long wait until dawn. Six months, to be exact. Outside, in the darkness, the wind howls, and blizzards rage. Inside, the few dozen people who are spending the night pass the popcorn and settle in to watch John Carpenter’s “The Thing,” a classic sci-fi horror story about an extra-terrestrial life form that awakens and begins to consume the researchers at an Antarctic research station. In 2011, a prequel was released after the producers opted not to attempt a remake of Carpenter’s masterpiece on the assumption that a remake could not possibly be scarier that the original. Little did they know that people around the world were working on a concept that would eventually threaten far more people than the cloistered Antarctic researchers. I give you, “The Internet of Things” (IoT).
In its most benign form, the IoT means the network of devices that are connected to the Internet and can be controlled remotely. It imagines a world where anything can be connected and communicate with other devices. Cisco estimates 50 billion devices will be connected through the IoT by 2020. Smart homes; smart cities — a steady stream of data exchanged between and among devices, with the potential to enhance efficiency, lower costs, improve security. Except, that last attribute is open for debate.
Peter High is writing a series in Forbes titled “IT Influencers.” Highs’ series offers an interesting read. He recently interviewed Ron Ross, a Fellow at the National Institute of Standards and Technology, where he leads the Federal Information Security Management Act Implementation Project. Ross captures the essence of the challenge posed by the rapid expansion of the IoT:
“…the common denominator in everything that we are talking about in cybersecurity. That computer is driven by firmware and software created by human beings. It is getting larger, and the complexity is getting greater. When you have that situation, there are a certain number of flaws, weaknesses, or deficiencies that exist in any code. A certain percentage of those are vulnerabilities that can be exploited by threat sources or agents. That gives us great concern, because as the number of systems, platforms, and applications expands the number of vulnerabilities is growing. Those vulnerabilities are not always known…IoT is expanding the universe…as we put more things into our information technology infrastructure, more opportunities are given to adversaries to attack us. That attack surface grows larger every day, so we have to do some things to manage it, especially where we want to have systems that are dependable.”
Ross goes on to point out that as we head into an ever less certain future, we have to recognize that a core cybersecurity consideration for the IoT will simply be who and what we can trust. Trust will be earned and merited by the security features built into whatever product we buy. Marketing products that are part of the IoT will require earning and assuring trust—which brings us back to the fundamental challenge facing the dwindling band of researchers being devoured by The Thing. Who, and what, can we trust?
By Tom Davis, SDI Cyber Risk Practice
December 8, 2015