"To secure things on the Internet, we need to know what things we have as a first step," Demopoulos says. There are lots of ways to potentially find what is on any network, he says, including passive listening at network aggregating points, and scanning networks with automated tools that run periodically.
"This works well today, but will not in the future," Demopoulos says. "We will be living in an increasing IPv6 and IPv4 world. You cannot scan an IPv6 subnet, so this technique will not work. An IPv6 subnet is just too big. Organizations need to start planning now on how they will do device discovery in the future. The first step to securing those devices is knowing that they are there."
Security needs to be built in as the foundation of IoT systems, "and that's blatantly not happening," Rose says. "We need to place security at the most capable point in the technology chain and then subject it to rigorous validity checks, authentication, data verification, etc. In addition all the data needs to be encrypted."
At the application level, software development organizations need to be better at writing code that is stable, resilient and trustworthy, Rose says. "They can achieve some of this through better code development standards, training, threat analysis and testing," he says. "Unfortunately, they will always be dependent upon the logical layers beneath them, [for example] the hardware, virtualization layer and the operating system."
These layers need to be reviewed and hardened to ensure that the platform is secure all the way up, Rose says. "In addition, as systems interact with each other, it's essential to have an agreed interoperability standard, which is rock solid, he says. "These are the foundations upon which the IOT will be built."
The IoT: A primer
The Internet of Things (IoT) is still somewhat of a vague concept and carries a number of definitions. The IoT in general refers to an Internet-like structure that connects uniquely identifiable objects, basically anything that can be tagged with an identifying chip.
The "things" in the network take on virtual representations, and can interact with each other as well as gather data such as when and how objects are being used, their operating condition, etc.
Talk of the IoT first emerged through the work of the Auto-ID Center, a non-profit collaboration of private businesses and academic institutions that began creating of an Internet-like infrastructure that could be used to track goods around the world via radio frequency identification (RFID) tags containing Electronic Product Codes.
When the center closed in 2003, EPCGlobal was created to continue the effort to commercialize EPC technology, and the center's research continues today at Auto-ID Labs operated by universities around the world.
Sign up for Computerworld eNewsletters.