Updated from Oct. 18
As tens of billions of toasters, thermostats, sprinkler heads, cars, oil rig pump monitors, electricity meters, smart power switches and other devices join the Internet of Things in the coming years, they will present hackers and cyber thieves with back doors to home, business and government networks.
Indeed, the Internet of Things was implicated in a massive cyberattack that hobbled many websites and services on Friday, in part by sending requests from large numbers of connected devices.
The world of traditional IT systems and security must increasingly interact with a new world of products, machines, sensors and other networks that may operate on unconventional standards, and that introduce substantial complexity.
"Crossing the boundary [between these two worlds] will be a flood of data like none we've never seen before," Gartner analyst Earl Perkins said.
Most of the information traveling in this new world goes from machine to machine or machine to database, presenting a quandary worthy of a science fiction novel. "The big thing in IoT security right now is how do I give them an identity, attributes and entitlements so they can authenticate one another," Perkins said. In other words, how do we teach machines to police machines?
A new crop of security shops is safeguarding the new world of IoT devices, Perkins said. The list includes PTC (PTC) and Synopsys (SNPS) , as well as private companies such as Bastille Networks and SecureRF that identify and authenticate devices. Unexpected names such as General Electric (GE) , which manufactures IoT hardware, have also waded into security of networked machines.
Telematics, or the hum-drum business of tracking fleets of trucks and other vehicles to monitor on-time delivery and fuel efficiency, is one of the most proven fields of IoT. While the business is hardly sexy, it has demonstrated a return on investment for logistics companies and others.
Plugging consumers' vehicles into the Internet of Things is flashier, however, and presents opportunities for entertainment, e-commerce and the holy grail of self-driving cars. But it also introduces risks.
For example, Hyundai owners can turn on their cars via Amazon's (AMZN) Alexa voice recognition device, 451 Research IoT Director Christian Renaud noted. While the development hints at the future perks of combining IoT and cars, it also presents an opportunity for hackers. "We've jumped the shark from 'I'm just going to tune in my radio station' to 'I'm going to unlock my car,' which means there is a cellular door into my car," Renaud said. "Which means there are security concerns."
The FBI has warned about the dangers of mixing IoT and driving. "While not all hacking incidents may result in a risk to safety -- such as an attacker taking control of a vehicle -- it is important that consumers take appropriate steps to minimize risk," the FBI noted in a public service announcement earlier this year.
Companies specializing in automotive IoT security include Argus Cyber Security and TowerSec, the latter of which was acquired by stereo and connected car systems company Harman earlier this year.
Once consumers park their self-driving cars at home, a new array of threats awaits.
"It is not so much whether your toaster is going to be hacked," Gartner's Perkins said of the emerging generation of smart home products. "The bigger problem is whether the fridge or toaster is going to be used as a path into your network."
Cyber thieves are crafty in finding entrances to networks. In the 2013 hack that rocked Target (TGT) , after all, attackers entered the company's systems using credentials given to an HVAC contractor.
"You have to be able to know where the devices are," Perkins said. "You have to clean up your IT house."
Atlanta-based Bastille Networks, which earlier this year discovered that about 80% of businesses are vulnerable to being hacked via wireless computer mice, provides visibility and discovery services that identify devices on networks.
Gauging the likelihood and impact of an attack are keys to devising a security strategy.
The hack of a Ukraine power plant in December 2015 caused thousands to lose power. Cyber sabotage of a nuclear power plant could have an even greater impact.
Meanwhile, the hack of a self-driving car or a drone could have a devastating impact on a person or family, but would likely have a more limited effect on society.
"Unless you crash a drone into a liquefied hydrogen tank, it's quite likely [a minimal impact]," Perkins said.
Grabbing market share may trump cyber security on the list of concerns for the manufacturer of an IoT product in a hot niche, however.
"It all comes down to money in the long run," Perkins said. Manufacturers should build to a minimum acceptable standard based on the type of device and the likelihood and potential impact of a hack. "You can't go around creating the most secure devices for every Internet of Things application," Perkins said. "lt will bankrupt people."
A concept from the "classical" world of IT, building defense in layers, applies to IoT security, the Gartner analyst added.
Protections should be implemented in the devices themselves but also in the home or corporate network. Cyber security applications can identify rogue toasters ovens, teach networks or other devices to limit interactions with compromised components and safeguard critical information or capabilities.
"A chain is only as strong as its weakest link," Perkins said. "The chain in this case has to compensate for the weakest link."