In the next couple of years, there are expected to be 2 billion people connected to the Internet. At the same time, the instrumentation and interconnection of the world’s human-made and natural systems is exploding–which could mean that there soon will be more things connected to the Internet than there are people who are connected. This Internet of Things promises to give people a much better understanding of how complex systems work, so they can be tinkered with to make them work better. But it also opens up a whole new sphere of insecurity. Each of those sensors is, potentially, a point of vulnerability to people who write malicious code for fun, or profit, or to further their political goals.
Harm could come in many forms, but some of the most hurtful scenarios for attacks on the Internet of Things include electrical power and communications blackouts, disruption of air traffic and roadway traffic lights, interruption of oil and gas exploration and contamination of water. So far, these concerns are mostly theoretical, but the spread of Stuxnet, the computer worm that targets control systems at nuclear power plants, shows just how dangerous such attacks can be. The worm knocked out about 1,000 centrifuges at Iran’s Natanz uranium enrichment plant last year–and atomic energy experts warn that it has the capability of creating Chernobyl-like disasters. “We have to understand the new threats and understand how to protect our own infrastructure,” says Andreas Wespi, a cybersecurity expert at IBM Research’s Zurich laboratory.
Attacks will likely come in two ways: to the sensors and to the servers that gather, store, and analyze information from the sensors. Both kinds of vulnerability must be addressed.
Let’s start with the sensors, which Wespi calls “the weakest link in the system.” Sensors connected to the Internet can take many forms, ranging from simple devices that measure things like temperature to video cameras that monitor the physical security of anything from city streets to remote oil pipelines. We have to develop and deploy new technologies that signal when sensors are not working reliably or have been tampered with. IBM scientists are developing technology that can be embedded in sensors, to do just that. One of the challenges is that simple sensors much be very inexpensive to be affordable on a mass scale, so the modules that IBM is developing must be extremely cheap–costing just pennies per device. Also, it will be vital to embed security in the sensor networks before they’re installed, rather than trying to retrofit them later.
A lot of work has been done over the past two decades to defend computer servers and networks from malicious attacks, but the emergence of the Internet of Things is forcing cybersecurity experts to rethink how such assets are protected. In the past, one of the key strategies for protection control systems was to isolate them from other networks. But now that control systems are being connected to the Internet, that approach won’t work well anymore. What’s needed, Wespi says, is a multi-tier security system–combining protections for individual servers and applications with more powerful access controls and network monitoring.
The Internet of Things creates exciting new possibilities, but it can only deliver on its promises if it’s reliable and trustworthy. Now is the time to start addressing these concerns.