It's been estimated that by 2020, business-to-business spending on IoT technology and tools will reach $267B, half of IoT-related spending will be driven by needs in manufacturing, logistics, and critical infrastructure, and 34 billion devices will be connected and in use across all sectors and classes of devices.
Keeping pace with the growth of IoT in general is the rate at which vulnerabilities in IoT devices are shown to be vulnerable, often to trivial efforts. From cars to household appliances to surveillance cameras and now airplanes, it is clear that we might be making dumb things smart, but we’re not being smart about how we do it.
The response to this situation are calls to ‘bake in’ security and new laws. But examples like this, from a DHS effort to hack an airliner, show why any action we take now will not have an impact for years to come:
The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s ... legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have [cybersecurity] protections.
Forget 34 billion devices in three years; there are too many vulnerable devices and platforms out there now for any effort we take to matter today. Every device in a manufacturer's pipeline is in the same boat. A mandate to secure IoT devices that comes down today will only make a difference to those devices that haven’t even made it to the drawing board yet.
It's not that manufacturers can’t make secure devices, it's that no one is asking for them. The market - particularly the consumer market - isn’t concerned enough to demand change. Forward looking and thinking companies in industry recognize the importance of security and are taking steps to address the situation without the pressure of consumer demand, because a failure on their part means the lights don’t come on, water isn’t drinkable, and the well-being of people with medical implants is at risk.
But let’s be clear: as long as there is value to be had by keeping insecure devices operating, manufacturers, system operators, and consumers will keep them on. You see parallels to this kind of thinking in the broader IT security space, where companies would rather run in a vulnerable state and pay the costs of incident response and fines if a breach happens, rather than spend money on security to try and avoid a breach in the first place. The cost-benefit analysis favors a level of insecurity, which makes those who are trying to avoid catastrophe sound like the proverbial shepherd boy warning about wolves.
IoT security is important now, but it will be vital to the safety of the next generation. Today we still have a level of resilience available to us on both a system (not everything is automated yet) and individual level (people who still know how to do things without computers). That resilience fades quickly as we place more trust in IoT. Fully exploiting weaknesses in IoT systems to devastating effect is still relatively difficult, but while the learning curve for those who would carry out malicious activity is steep, it is also short. Our efforts to counter their actions need to move at the same speed, or eventually, systems will have no graceful way to fail, there will be no backup, and people who never learned how to operate in manual mode are left standing in the cold and dark.