IoT is likely to be among the top cyber security priorities for organizations in the coming years. The Computer Emergency Readiness Team (CERT) Division of the Software Engineering Institute at Carnegie Mellon University in May 2016 released a report identifying 10 at-risk emerging technologies, and some are related to IoT.
In the study, “2016 Emerging Technology Domains Risk Survey,” CERT examined the security of areas such as the connected home, which involves the automation of home devices, appliances and computers. Another area is smart sensors, one of the enabling technologies of IoT.
In today's increasingly interconnected world, the information security community must be prepared to address vulnerabilities that might arise from new technologies, Christopher King, vulnerability analyst at the CERT division, said in a blog post. “Understanding trends in emerging technologies can help information security professionals, leaders of organizations, and others interested in information security identify areas for further study,” he said.
Carnegie Mellon has been an early developer of IoT, and has made security a priority.
The university is working on an open IoT platform called Giotto, named after the innovative Renaissance painter. “We are building out an end-to-end stack, going from hardware to middleware to app layers, integrating machine learning, privacy, and security throughout, and also focusing on the user experience,” says Jason Hong, head of the research group at Carnegie Mellon’s Computer Human Interaction: Mobile Privacy Security Lab at the School of Computer Science.
“We want to make it so that people have IoT-in-a-box, so they can quickly use some of our sensor platforms, demonstrate examples of things to sense [such as an window opening or someone knocking on a door], and create apps that are triggered by those sensed actions,” Hong says.
IoT offers lots of potential for improving everyday life, “but also poses new kinds of risks to safety,” Hong says. “It's useful to think of IoT as a pyramid. At the top you have a few devices that you will use a lot and have a lot of computational power,” such as laptops, smartphones, watches and gaming consoles.
In the middle are dozens of devices used occasionally, and which have moderate computational heft. This tier would include thermostats, TVs, refrigerators, etc. At the bottom are hundreds of devices that people are barely aware of, such as HVAC, badges, implanted medical devices, digital picture frames, electronic locks, and more.
The top tier will be well protected, Hong says, as the companies that make these products have lots of expertise and experience, and the devices can run a lot of security software. “However, the middle and bottom tiers are where we will see lots of problems,” he says. “Many of the manufacturers have little or no experience with software, and these devices also can't do much to protect themselves.”
Sign up for Computerworld eNewsletters.