"Concerns over cybersecurity are undermining the nationwide introduction of smart meters, with more than one in five people saying they do not want one. Almost six million homes would reject the devices despite government promises that they would cut energy bills. More than half of those who oppose smart meters said that their principal concern was data protection."
A perfectly legitimate concern, given recent events and revelations about what metadata can reveal. Spikes in consumption on certain days or times could not only be used to help regulate supply, but suggest when you’re home, away, or have guests over. Over time this sort of information helps establish a pattern of life, which is useful to multiple entities in myriad ways. Knowing when people are away from home could be useful for the police in crime prevention efforts; or data could be sold to advertisers who would push you ads for home security systems if you’re away a lot, or sales at the grocery store if you host a lot of guests.
While it is refreshing to see the general populace expressing concerns about the security of such devices, it does beg the question: do these same people have any idea how prevalent such devices have been in their lives? In a domestic context they are smart devices, but in a factory they’re industrial control and in a power plant, SCADA. This Internet of Things has become a buzz-phrase, but the fact of the matter is that network enabled devices have been a part of our lives years before we started giving them clever names.
But those benefits are only benefits if they come with some level of assurance that they don’t introduce new vulnerabilities. Unfortunately, the security industry isn’t doing much to bolster consumer confidence in this regard. It’s one thing for your home PC to fall victim to ransomware; it’s another thing entirely if the infected system is helping keep you alive. Cyber security failures can take months to discover, which is unacceptable in a smart, ICS, or SCADA environment.
We have spent decades trying to secure commodity IT, yet system compromises and data breaches are a daily occurrence. If we cannot effectively protect the computers we know about, how are we going to protect things we don’t even realize are computers?
For starters, we should be frank about what is possible. There is no such thing as a “secure” Internet of Things. Smart devices will never be hacker-proof. The opportunity to not repeat the same mistakes we made with commodity IT has passed. This is not a function of manufacturers not caring about security, it is their response to the demand for functional devices. If we want functional and secure devices we have to ask for them and be willing to pay for them.
It is also important to be clear on what the trade-offs are for the benefits and convenience smart devices enable. That trade-off almost always involves privacy. The data created by smart devices (including your smartphone) is really the most valuable when it is tied to a person. The power company saves money by knowing how to best balance loads; it makes money selling that data to people who have nothing to do with power generation and transmission.
What the security industry can offer the IoT or smart device world is better visibility and insight into the devices that are present in a given environment, what those devices are doing, and when those devices behave abnormally. The analog to “security” in an environment filled with smart devices is “safety.” Hospitals, power plants, oil refineries: all places where people are regularly drilled in what to do when things malfunction or fail. Securing a world filled with smart devices is less about quarantining a device infected with malware, and more about making sure people know when to implement safety protocols.