The Internet of Things is forming a digital infrastructure that already plays an important role in our homes, cars, offices, and cities. But as it proliferates, so do the opportunities for cyber attacks and invasions. Illustration by Jordon Cheung.
Today, we’re almost as likely to connect to the internet through our watches, cars, or home security systems as we are through laptops or smartphones. The online world is enveloping the physical one in an ever-growing network known as the Internet of Things, and that is changing life as we know it.
The number of connected online devices is exploding. The Atlantic Council, an international think tank, predicts that 50 billion objects will be communicating digital data to and from each other by the end of this decade—seven for every person on Earth. Much of that growth is not in consumer gadgets like fitness trackers or televisions but rather in our economy’s most critical systems, from factory floors and emergency rooms to power stations, aircraft engines, shipping fleets, and national security assets.
Connecting such crucial infrastructure to the internet promises exciting advances—from smarter factories, smarter shipping, and smarter retailing to smarter government. It could also be a fount of innovation and an important source of economic growth. But it will also mean a proliferation of new security risks: More connected devices means more devices capable of forming armies of bots, zombie networks, and other ways for cyber criminals to invade our physical world.
“The threat is already there. It has already been realized in some cases,” says Gerry Kane, director of cyber security at Zurich North America. Hackers are currently using the digital realm to target real-world assets. In late 2014, massive damage was caused to a German steel mill after hackers forced a blast furnace to malfunction. More recently, hackers with ties to Syria infiltrated a water utility’s control system in an undisclosed location and changed the levels of chemicals used to treat tap water.
Many hackers are just after data, and our personal mobile devices—currently far less secure than traditional computer systems—are an all-too-easy way to get it. Denial-of-service attacks, in which hackers shut down a company’s servers or customer-facing web applications, whether for ransom or some other purpose, are also becoming more common because of the Internet of Things. Seventy-three percent of IT professionals now consider it likely that a company will be hacked through a connected device, according to research by ISACA, an information-systems nonprofit.
“No one thinks they're going to get hit,” says Kane. “If you've only got a thousand records of personal information, that's certainly worth a lot less than a company that's got a million of those records. But if you make it easy for someone to get those files and records, they'll come and get them.” Often it’s small or medium-sized companies that dismiss security too easily, with 71 percent of cyber attacks happening at businesses with fewer than 100 employees, according to the U.S. House of Representatives’ Small Business Committee.
For decades, the threat of being hacked was treated as a technological battle fought with firewalls and antivirus software. Strong technology is surely needed to combat ever more sophisticated risks. But the accelerating pace of cyberattacks as the Internet of Things proliferates has also forced a sea change in thinking about what good security means.
That change began with a collective admission: Cyber attacks have become virtually impossible to eradicate, a fact of life, and companies must focus on quick reaction and recovery from breaches. “Most people in the business now will agree that you can't protect yourself completely,” explains Kane. “The focus of any good security program is not on protection but on detection and being able to find those intruders as quickly as possible, before they can do substantial damage.”
Following that principle, the U.S. government has established a comprehensive approach to cyber threats that places equal emphasis on warding off attacks and recovering from a breach. The National Institute of Standards and Technology’s Cybersecurity Framework was designed to protect critical infrastructure such as banking and energy systems, but the standards have been adopted by everyone from retail chains to the Italian government. Nearly a third of U.S. firms are already using the framework, according to technology research firm Gartner.
There are other bright spots: Cyber threats are being taken seriously in an increasing number of boardrooms and corner offices. Jobs in cybersecurity are up 74 percent over the past five years, according to a 2015 report by Peninsula Press, based on numbers from the Bureau of Labor Statistics. There has also been a rise in the job of chief security officer as some companies elevate it to an executive-level position.
Still, the Internet of Things may be expanding faster than our ability to comprehend it, and many companies are simply unprepared. The tools needed to make the IoT more secure already exist, but companies and institutions need to recognize the threat and prioritize the solutions. “It isn't going to require any new concepts or any new technologies,” says Kane. “It requires a commitment to thinking that's been around for a while in handling security as a process.”