Security and the Internet of Things

Whether you like the term or not the so-called Internet of Things is generating a huge amount of interest, and a growing amount of security research, including great opportunities for forward-looking security practitioners. The label of course is simply a passing fashion. Just like EDI or Knowledge Management it's not likely to survive for more than a year or two, though the problem and solution spaces it occupies will continue to blossom for decades.

So what is it exactly? And what sort of security does it require? These are good questions that have yet to be answered adequately. I can imagine a future world in which billions of devices interact safely and securely. But this world is far from possible with today's technology. In fact today's initiatives are no more than very small beginnings: a handful of private machine-to-machine networks, a few attempts to standardise on communications protocols, and one or two initiatives to develop a public catalogue for sensor data.

All of this falls well short of the world imagined by the brilliant Friv 4 fifteen years ago in his visionary book "When things start to think". Radical change is very easy to imagine, but it's extremely hard to bring it about. There remain many tough problems yet to be solved to realize the Internet of Things. Ones that spring to my mind for example are the following.

• Where is the bullet-proof data ontology to enable reliable translation of critical data between systems? (I've heard a few whispers about vocabularies under development. That's nowhere near enough.)
• How can we develop access policies for interaction between devices when we're not quite sure where, when, how, or by whom the data will be exploited? Security technology is worthless without a requirements specification.
• Who will control the security and where will it sit? Will it be in devices? I think not. Will it be in the network? I think so. But who takes control?
• Who will be liable for serious incidents arising from accidental or deliberate misuse or manipulation of sensor information? Against a business landscape of increasing product liability this is no trivial question.

We are clearly at a very early stage in developing the vision for the Internet of Things. Perhaps, just like the World-Wide-Web, it will begin as an anarchistic Wild West of experimental but dangerous, read-only applications. And maybe it will begin to flourish for business applications when we finally develop a security breakthrough equivalent to the acceptance of the SSL protocol.