PCs and cell phones churn every 18 to 24 month so the companies that produce them have financial incentive to constantly refine the security of those devices. But people replace cars every 10 years, refrigerators every 20 and thermostats "never," says Schneier. "There exists no mechanism to patch them because it's not economically viable for third-parties," Schneier says.
The problems will mount as new devices emerge and they, along with the sensors and software used in conjunction with them get cheaper and last longer. "You don't have the same ecosystem of upgrade in terms of patching, devices and operating system -- none of these things that in a computer world makes them better," Schneier says. "When your furnace becomes part of the IoT and they say you have to replace the hardware on your furnace every two years... people are not going to do it."
Assigning fault also plays a big hand in the complex market dynamics. When a perpetrator infiltrates a network through a software vulnerability, we point to the flawed software. But with connected devices forming what is essentially a digital daisy chain, it is difficult to attribute fault. "If you're refrigerator interacts with your router and hacks your Google account, whose fault is it?" Schneier says. "The market economy actually works against securing IoT."
Such security threats can snowball quickly, as Schneier wrote in a blog post last week: "Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The internet of things will make exploitable vulnerabilities much more common."
An IoT security model
Qadium is tackling the IoT security problem with "global internet sensing" software that scours hundreds of terabytes of data generated by devices configured by a given organization. Indexing a hundred different protocols, calling out to all of the devices that reside on a customer's network and gauging their responses for anomalies. It finds dark spaces in corporate networks CIOs didn't even know existed.
"We look at the entire internetperpetually and turn it into an analytics challenge," Kraning says. The goal is to say, "We know where all devices of interest to a company are." Qadium's customers include the U.S. Cyber Command and the Navy.
According to Perkins, who says Qadium competes with Bastile Networks, Great Bay Software and ForeScout Technologies, such technologies play a useful role in helping CIOs discover what's on what he calls the "network of entities." However, the challenge doesn't end there. A second set of technologies is required to isolate and neutralize malware or other network incursions. Securing connected devices, he says, requires a multi-layer approach that involves providing the proper policy enforcement for existing devices and those that will come onto the network in the future. This is no trivial task.
Sign up for Computerworld eNewsletters.