The Shape of Feeds to Come
By Michael Moran
Imagine your self-driving car kidnapping your daughter and demanding a $500,000 ransom. Or the 3D printer production line you installed at a cost of tens of millions of dollars downing tools and demanding a raise to end its ‘virtual strike.’ Or the proprietary data feed you have sold to a major financial services firm suddenly providing falsified results, moving markets and opening your company to insider trading charges.
The target of opportunity list for the Internet of Things (IoT) is long and poorly understood even as the vulnerabilities migrate from theory to reality. Quick fixes are in the works, but very few are thinking about the more fundamental challenge of governing the myriad feeds that the Internet of Things (IoT) economy is about to spawn.
Steve Madnick, who is the founding Director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC), says he is perplexed at the casual attitude many business have adopted in the face of the new data challenges posed by IoT. Not only do corporations and government not understand the scale of the data torrent about to be unleashed, but they seem unconcerned by the real life manifestations of IoT breaches.
“I have been talking about the security threats to common household items connected to the internet – that is, the Internet of Things (IoT) – for several years now, and unfortunately, every other dire warning has come true so far, Madnick, a professor of engineering at MIT’s School of Engineering, mused recently in a Forbes blog post. “Upper management has to take greater notice of risks exposed both in the products they produce and the products that they use and take action to mitigate those risks.”
As Madnick and others (including myself) have repeatedly noted, there’s no need to wait for the threat of sensor-enabled IoT devices going on the attack. It’s already here. In 2014, the British cyber firm Proofpoint reported an attack on Internet connected refrigerators that used them to spread porn emails around the UK. The CIA and other intelligence agencies have developed malware that can convert your television or smartphone into listening devices.
But the attack that most demonstrates the potential scale of the problem came in October of last year, when unidentified hackers hijacked thousands of web-enabled security cameras to mount a denial of service attack (DDOS) that temporarily crippled such portals as Twitter, the Wall Street Journal, Slack, Netflix, Direct TV and CNN.
Simple fixes will make these attacks more difficult. Many current IoT devises lack basic security elements like passwords and dual authentication – in effect, they were shipped from the factory with connections wide open. But the more complex and lasting challenge will be about managing the tsunami of data the increasing number of IoT devices will soon create. Gartner estimates there are about 6.4 billion connected devices of one kind or another today. By 2020, the firm says, that will reach 20.8 billion.
In our conversations with clients and major software, telecom and industrial firms, it is striking how many have failed to see the gap between the devices and servers that feed their data and the edge. “Most seem to go right from device to app, and that not only leaves them open to manipulation or misuse,” says Tim Panagos, CTO of Microshare.io. “There’s also no room in that kind of architecture to monetize these feeds. How are you going to, say, sell smart home data to an interested customer like insurers or utilities without a governance layer to ensure you don’t violate HIPAA or privacy laws?”
Microshare, in fact, is that vital interstitial governance layer – a software solution that not only provides the kind of contextual security that might have prevented October’s North American DDOS attack, but also allows users to plug in robots to manage and potentially sell feeds in ways that are compliant with laws meant to prevent abuses. The microshare™ solution takes the risk out of these interactions whether its US HIPAA regulations that protect patient health care data, the Federal Corrupt Practices Act (FCPA) meant to prevent bribery and money laundering, or the looming General Data Protection Regulation (GDPR) that goes into effect in the EU in May 2018.
Liability risk will probably push manufacturers into a more systematic and secure implementation of sensors and connectivity in their products. But once the products are on your shop floor, in your garage or stitched into your revenue calculations, the onus is on end users to manage their data.
Own The Data: Contact Microshare to find out how.
Michael Moran is Director of Communications and Security Solutions and Microshare.io