Consider the case of the Twitter incident back in the spring: A single compromised Twitter account caused the Dow Jones Index to fall by more than 100 points within minutes. Fast-forward to IoT and imagine that each Twitter account is a sensor (for instance, a smart meter) and tweets are the sensor readings. Further imagine that the stock market is the grid manager balancing electricity supply and demand. If we were to treat each data point from each smart meter as absolute truth, a potential attack on the smart meters could easily be used to manipulate the electrical grid and -- for instance -- cause the local transformer to blow up or trigger a regional blackout by creating a feedback loop.
IoT systems should be designed with the inherent assumption that data will get compromised or lost or corrupted. At the same time, they should not treat any endpoint as secure or any data set as a source of absolute truth.
Consider the source
What could a more resilient IoT system look like? It starts with realizing that not all data is created equal but has an inherent quality or weight inferred by the characteristics of the data source and how much it is trusted. Any algorithm using this data would need to not only take into account the literal data points but also to weigh the data based on the capabilities of its source, its identity, and the level of trust in its integrity. Think of it as "red-yellow-green" labeling of data as it is being received.
All the best practices and technologies needed to address these problems exist and can be applied today. It is a people (designer, developer, consumer) problem and a product design process problem -- not a technology problem.
What is stopping us from doing the right thing? Essentially, our legal processes have not caught up with technology. And they won't for as long as the lack of security merely inconveniences us rather than threatening us with loss of property -- or even life. Conversely, we're pretty good at applying security best practices in aviation because most serious problems with an aircraft in flight are inherently catastrophic. Let's hope the recent news of hackers accessing airplane flight control systems acts as a wake-up call for the industry.
Building connected products using existing technology with meaningful authentication, authorization and encryption settings is possible with little or no additional effort today. All it takes is the realization that security needs to be there by design and not by accident or afterthought.
New Tech Forum provides a means to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all enquiries to email@example.com.