We think people are asking the wrong questions with respect to IoT and cyber security. One common question is “can someone hack my dish washer and what should I do to protect it”. The answers are simple: “yes” and “who cares”. Two additional trending questions are “how do I keep my privacy” and “what happens if someone generates fake data that would change our perception of global warming”. I think these questions are missing the main points about threats – who is the adversary and what is their motivation?
Adversaries that are after private data will find it much easier to dig into a centralized database than to go after individual devices with little information. Most of our meaningful private data is already collected today into such databases. Additionally, it does not make sense for attackers to attempt to deduce our health from reading the sweat sensor of our smart T-shirt when they can read the conclusion made by advanced health monitoring systems from a database. Adversaries who would like to affect decision-making (or sabotage processes) are much better off hacking into a central control system and flipping a bit than trying to acquire enough compromised sensors to generate enough false data over enough time to subvert a process. By the way – even though such potential capabilities are available to attackers today they are rarely used (other than in very extreme nation state situations).
IMHO the real issue with IoT is the abundance of unprotected, relatively smart and powerful computing platforms that are going to proliferate into each and every network around them. We have done a miserable job protecting what few personal computers we have at home. We are not going to do a better job (understatement) with a tenfold or hundredfold number of devices from different vendors at our house. This huge number of UNPROTECTED devices provides an opportunity for attackers to easily compromise home networks and personal devices that interact with them. In turn, these personal devices – and home networks – interact with our ENTERPRISE data sources, applications and networks giving the attacker an opportunity to access and abuse business data that can be monetized. Thus enterprises must learn to survive in an environment where most of the devices in the vicinity of their data and applications (in terms of sheer numbers) are unprotected and most often compromised. In such environment, LEARNING DYNAMICALLY to detect attack and abuse patterns is crucial for the protection of corporate data assets.