Sitting down with CBR’s Joao Lima, Kirkland made it immediately clear his thoughts on the Internet of Things:

""IoT is not a technology, it is a series of business use cases and consumer use cases."

With that in mind, Kirkland spoke to CBR about the security surrounding the IoT business use case and what threats and regulations the industry could expect to see as the technology, or IoT use case, evolves.

 

CBR: What is the biggest threat to IoT security?

JK: The biggest threat is really a mind-set that security is not something that you do want. Security is a continuous process. There are lots of direct factors, but the minute you solve one, another one pops up.

The thing is that you have to build these systems in an IT sort of way, there has to be encryption, VPNing; we have to use authentication certificates, certificate based authentication to authenticate the actors.

This will help avoid having somebody pretending to be a device and sniffing data, that is one of the biggest threats – someone not stealing data (which it is also a threat), but injecting harmful data into a system to cause it to behave differently, to cause it to destroy itself, to act in an inefficient manner.

Those kind of attacks you have to have a kind of layered defence to. It is application whitelisting, it is continuous patching, and updating keys.

You also have to use an active detection scheme to look for signatures of attack, so that when something is compromised that device cannot get anywhere harmful and if there are attempts to go somewhere else it will be detected and remediated.

 

CBR: Should people expect 100% IoT security?

JK: No, they should not. And that is because we have to balance the risk. Physical systems do not have 100% security. We should hope for better than we have in the physical world.

The biggest choice is who do you do business with, and who you interact with as a consumer and as a business. You think about Amazon, you hand reams of data over to Amazon and people do not even blink about it. Then Amazon is able to predict what you are going to buy, for example.

If a retailer uses technology to track people and identify them individually, and keep records on them, it is considered very creepy. In some spheres we are willing to give away large amounts of privacy and not even think about it for convenience.

In other spheres it is very disconcerting and upsetting. You have to tread that line between the functionality that you get and the benefit you get, versus the privacy and security you give up.

There might be some really cool innovative things that people want to do, but the cost of securing that innovation might be too expensive and the cost of losing that data is too dangerous.

 

CBR: Has the industry and even the media overhyped the debate around security?

JK: I think that it is one of those things that people understand at a basic level, so it is very easy to talk about examples where it goes wrong versus other use cases. It is something that is compelling because people can relate to it personally.

[Security] is an existential threat because if we fail as an industry in security, then it will cause it to be stopped. When people have their personal data compromised – look at Volkswagen – your trustworthiness is put into question, whether it is in IoT of faking tests.

We have to earn that trust over time and we have to do things in an ethical and professional manner.

 

CBR: Is the IoT only an online technology?

JK: No, we have to build a system in a way that is going to survive the internet not being there, which is one of the reasons why I think gateways are so important.

A gateway is going to be using Bluetooth and ZigBee, Serial, local Wi-Fi, to gather data and control things. If either the cloud applications go down, or the internet connectivity is down, it needs to be able to operate on an autonomous manner until that connectivity is there again.

It has to be built to be survivable and each node needs to be able to operate in itself at least with the minimum functionality.

The more critical the system is, the more it needs to be built in a way that nodes can work independently in nodes and be survival for loss of communications or loss of individual pieces of hardware.

 

CBR: What role do governments have to play in the IoT ecosystem?

JK: If standards bodies take a strong enough role, providing clear guidance – essentially regulation within the industry itself – then the government will be issuing just general privacy requirements.

There will be base level requirements the government will require across electronic systems.

 

CBR: What regulations do you expect to be deployed by government?

JK: There are some industries like energy and healthcare where there probably will be regulations, but for the mass market we will avoid government regulation, other than the foundational privacy.

If the industry does not do the right thing, it falls to society and government to have to regulate.