WASHINGTON – Security pros routinely cite poor cyber hygiene as one of their top concerns. But if they're lying awake at night worried about lazy passwords and software updates going ignored, just think of the headaches that will come once thermostats, pacemakers and just about everything else comes online.
When Randy Garrett contemplates the Internet of Things, he sees a colossal security challenge.
Garrett, a program manager at the Defense Advanced Research Projects Agency (DARPA), worries that, in the exuberance to embed sensors in a galaxy of devices and bring them onto the network, backers of the Internet of Things will unwittingly create a virtually limitless set of new threat vectors.
"This is where I think, frankly, we're already in trouble," Garrett said Wednesday at a conference on the Internet of Things. "You might not want to expose those to the big Internet."
He points to an array of security concerns that could arise in a thoroughly networked world. Chief among them is that – as uneven or just plain bad as the habits of PC users may be – many people are at least aware that the threats are out there and will often exercise some restraint in not clicking on spam links or avoid setting their password to "password."
Will Ability to Gather Data Trump Security Concerns?
Put another way, people recognize that there are malicious actors out there working to infiltrate their computers and swipe their personal information. But who thinks about their toaster in those terms?
It's not an idle concern. Recall the massive data breach Target sustained last year, exposing millions of the retailer's customers' information, forcing the Target CIO to step down and causing untold damage to the company brand.
The reported culprit? An entry point to the company's most sensitive data assets gained from a contractor who worked on Target's heating and air conditioning systems. "Who thought it was a good idea to connect that to the Internet?" Garrett asks.
Garrett's security concerns notwithstanding, there are strong arguments in favor of networking objects so they can be deployed more efficiently and monitored remotely.
Boosters of the Internet of Things can make a long list of areas where operations and safety could be improved by a networked set of smart devices. Household appliances could modulate their power consumption to avoid peak load times. Sensors placed along railroad lines could relay temperature data that could help preempt track failures. The same could be done for bridges, tunnels and other pieces of the nation's fraying infrastructure.
A pilot project in Rockville, Md., for example, placed 14 sensors into an apartment building that monitor for smoke, heat, carbon monoxide and other potential danger signs, relaying them to a cloud service that dispatches emergency responders if a problem is observed.
Internet of Things Poised to Change (and Challenge) Healthcare, Retail
One of the most enticing applications of a network of far-flung sensors can be found in healthcare, where an entire industry is taking shape to build devices and applications with which patients can engage to monitor glucose levels, blood pressure or heart health, or perform any number of other diagnostic procedures and then relay the information back to a care provider.
"That's a much better set of data in which to diagnose and manage diseases," says Michael Chui, a partner and senior fellow at the McKinsey Global Institute.
Chui acknowledges a host of unknowns, security and otherwise, which arise with bringing physical objects online. Who is named in the lawsuit when two driverless cars are involved in an accident, he wonders.
At least in part, however, he suggests that some challenges, and solutions, could be found in a rethinking of organizations and their traditional roles and processes.
In a retail environment, for instance, the CIO's involvement in store operations might be limited to the cash registers, point-of-sale systems and back-office operations. In a world where mobile payments are a reality and items on the shelf are expected to interact with shoppers' devices, though, the tech team must take a more hands-on role.
[ Case Study: The Container Store Uses Wearable Tech to Think Outside the Box ]
"If that's the case, then the people managing IT actually have to touch the merchandise in a way that the store manager never would have wanted before," says Chui, who earlier in his career served as a municipal CIO. Likewise, in the military, he asks: "Does the CIO of the Army have to touch the tanks?"
"It's a tremendous number of organizational challenges when you start integrating the physical world with the virtual world, Chui adds. “You have to change the way you make decisions if you're going to use the Internet of things effectively."