In the case of Internet of Things security, it\u2019s the Wild West out there. Drones with firearms attached, connected cars remotely sabotaged \u2014 the potential for trouble seems to be endless. Even popular culture\u2019s been getting into the act. Witness HBO\u2019s Silicon Valley episode where the self-driving \u201cHooli\u201d car abruptly changes its destination and enters a shipping container, taking Jared to a man-made island in the middle of the Pacific Ocean (\u201cI\u2019m sorry, what? Mister car? Excuse me?\u201d).\n\n\nAs we think about a future world with over 25 billion connected \u201cthings\u201d in use by 2020, the cyber risk scenarios grow exponentially. In a prior article, \u201cThe IoT meets the Internet of Behaviors,\u201d I outlined a few of the possibilities \u2014 some of which have already materialized in recent months:\n\n\nConnected home hacked to open the front door to thieves, open garage door to steal a car, raise heater to maximum levels to damage air conditioning system and\/or household goods, turn off refrigerator, turn off sprinkler system, access personal computers, and so on.\nConnected, autonomous car or delivery vehicle sabotaged to crash via inappropriate acceleration or braking, or sent to incorrect destinations; vehicles such as trains, aircraft, drones, ships etc. similarly misdirected or sabotaged. \nConnected hospital hacked to change the route of delivery robots; functions of medical devices such as pacemakers and insulin pumps, and so on.\nConnected manufacturer hacked to interrupt functions of warehouse \u201cpicking\u201d robots, equipment monitoring and maintenance sensors, plant control systems, supply chain activities, and so on.\nSCADA and PLC systems sabotaged in similar fashion to the Stuxnet worm that span up Iran\u2019s nuclear centrifuges.\n\n\nIn each case the resulting \u201cdamage\u201d can range from nuisance issues all the way to serious issues related to potential injury or loss of life, damage to physical property, or even threats to national security.\n\nProspecting in safety: What makes IoT security so difficult?\n\nOne of the main problems compounding this situation is that security is often an afterthought, bolted onto solutions after the fact, once issues arise. IT security experts and IT managers have been calling for security to be built-in by design for decades now, but there\u2019s been a long line of technology innovations ranging from the Web, to mobility and cloud computing, and now to the IoT, where it still feels like, and often is, an afterthought.\n\n\nAdding security after the fact creates other issues as well. When emerging technologies are not secure from the start, they create delays in realizing their full business benefits as organizations struggle to implement appropriate security controls. In fact, a study on \u201cRisk and Responsibility in a Hyperconnected World\u201d by the World Economic Forum estimated delays addressing cyber risk ranged from 11 months for cloud, to 5 months for IoT and mobility, to 3 months for social computing. Clearly, a larger percentage of typically flat IT security spend needs to be redirected here versus perimeter security.\n\n\nWhat adds to this difficulty, in the case of securing the IoT, is that it\u2019s a complex ecosystem no matter which industry you look at. IoT solutions and services are typically composed of not just one product, but a complex system of systems that includes hardware and software from many different vendors, much like RFID systems in the early 2000s, where you had to deal with a variety of tags, readers and middleware \u2014 all from different parties.\n\n\nThe security of the overall solution is only as good as its weakest link, so this multivendor complexity opens up additional vulnerabilities for cybercriminals to exploit and makes end-to-end testing essential. Some of the main vulnerabilities are explored in the Open Web Application Security Project (OWASP) Internet of Things Top Ten Project.\n\nAvoiding the gunfight: A framework to think about risk\n\nWhen thinking about risk levels related to IoT security, it\u2019s useful to know where the major issues may arise once hackers get to their target destination via the cyber \u201ckill chain.\u201d One way to think about this is to consider the various categories of IoT devices and the corresponding types of cyber risk. As IoT devices become more controllable or more autonomous, the threat intensity increases as cyber-criminals are able to steal sensitive data, introduce malware, and ultimately conduct \u201ccommand and control\u201d-style sabotage.\n\n\nOne of the frameworks I\u2019ve found useful has been Gartner\u2019s classification of four categories of IoT devices, ranging from identifiable things (e.g., passive RFID tags), to communicating\/sensing things (e.g., pressure sensors), to controllable sensing things (e.g. HVAC systems), to smart autonomous things (e.g., self-driving cars). The figure shows this classification with a rough sense of the types of cyber risk illustrated alongside.\n\n Image courtesy of Nicholas D. Evans\nThere\u2019s a new sheriff in town: Things are coming together\n\nFortunately, when it comes to building in security for the IoT early on, and by design, there are some promising signs. One example is the recent reference architecture published by the Industrial Internet Consortium or IIC. This extensive document \u201coutlines key characteristics of Industrial Internet systems, various viewpoints that must be considered before deploying an Industrial Internet solution, and an analysis of key concerns for the Industrial Internet including security and privacy, interoperability, and connectivity.\u201d\n\n\nAccording to Stephen Mellor, the IIC\u2019s chief technology officer, the IIC has been thinking about security right from the start. Its recently published Reference Architecture is intended to provide developers, engineers, systems integrators and organizations with a common vocabulary and a common approach to building and implementing IoT systems that are interoperable and secure. The group doesn\u2019t develop standards, but focuses on collaboration and cooperation across the industry so that technology issues and gaps can be quickly identified and resolved.\n\n\nAccording to Mellor, the group is also working on a specific framework for IoT security, which will be forthcoming. The idea is to take the security principles from the reference architecture, and add to them with further process and implementation guidance.\n\n\nAnother example of how security is being incorporated into an IoT vision from day one can be seen in the work of the German Industrie 4.0 Working Group focused on manufacturing. Its \u201cRecommendations for implementing the strategic initiative INDUSTRIE 4.0,\u201d published in April 2013, included safety and security as one of eight priority areas for action, with a further eight recommended actions specific to safety and security. Security by design was again highlighted as a key principle, as well as the development and implementation of IT security strategies, architectures and standards.\n\n\nOf course, there are many other examples of industry players coming together to address the challenges and opportunities afforded by the IoT \u2014 and IoT security, in particular \u2014 and these are just two of the bright spots. For example, the Security Center of Excellence, operating out of the Harrisburg University Government Technology Institute, is also addressing these emerging topics and providing education to Government CISOs in the State of Pennsylvania.\n\nGetting out alive: Success in IoT deployment\n\nFor organizations designing and implementing IoT solutions, the lessons are clear. First, have a clear sense of full spectrum of threat scenarios you may encounter \u2014 nothing is out of the question. As The Economist recently put it, you want to avoid the \u201cPay up or the fridge gets it\u201d scenarios or worse.\n\n\nSecond, have a framework to help you understand the lay of the land, avoid the gunfights, and prospect in safety. Understand the threat intensity given your specific categories of IoT devices. The more controllable or autonomous your IoT devices, the higher the risk level, and you should also pay close attention to the massive amounts of data being collected by these systems.\n\n\nThird, since cyber-criminals will enter your IoT ecosystem through any weak link in your defenses en route to their ultimate destination, including via counterfeit hardware in your supply chain, take a holistic approach to your cyber strategy and review the guidance and recommendations from the numerous consortia and organizations working in your field.\n\n\nWith these steps in mind, at least as your starting point as you head into the Wild West with your tools in hand, you\u2019ll be well equipped to monetize your hard work in the years ahead.