Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Five myths (debunked) about security and privacy for Internet of Things

Greg Shannon, PhD, chair, IEEE Cybersecurity Initiative, and chief scientist, CERT Division, Carnegie Mellon University Software Engineering Institute. | Jan. 27, 2015
IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of “things” and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed.

neon appliances

Internet of Things (IoT) holds great promise for a more intelligent, efficient, safe and even anticipatory means of human adaptation to the environment, be it natural or manmade.

IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of "things" and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed. To advance the evolving discussion on IoT security and privacy, I cite five "myths." Rather than accept them or dismiss them, I believe that they deserve careful consideration.  

Myth # 1: More security means less privacy, and vice versa.
I participated in the IEEE Summit on Internet Governance in December 2014 in Brussels where some suggested that we're dealing with security "versus" privacy. We're not. We should address security "and" privacy. I believe IEEE provides a real service to the global community by promoting that approach. These two concepts go hand in hand. Technically, they have commonalities. They enhance each other.

In terms of similarities, both concepts are about confidence in the way things work. Whatever thing or process people are interacting with, they want to have confidence that that's the thing or process they're getting. People want confidence there's not some nefarious agent -- human or machine -- that compromises their expectations about how a thing or process performs.

To contrast the two concepts, privacy is more about providing information into a system and not being personally harmed by doing so. Privacy stems more from an IoT user's perspective. Security is about creating value and protecting that value. It's often from the providers point of view but it can also be from the point of view of users, if they're receiving value from a system in return for their participation. A smart meter on the home, which records energy use in a granular fashion, can provide value to user and provider -- as long as the user's privacy remains intact and the data on billing and system health remain secure for the provider.

Technically, security and privacy have commonalities. Both rely on encryption, for instance. Methodical design processes will help ensure their protection. And both suffer the same sorts of failures. Engineers who design software or systems without a sense of how adversaries think can overlook exploitable aspects of the design.

Similarly, because individual components of IoT will be parts of systems of systems, the original authors of a component may not consider the security and privacy implications as their component interacts with other components and systems. For instance, researchers have established -- as has the Federal Food and Drug Administration (FDA) -- that a number of personal medical devices (PMD) have encryption flaws, which threaten the security of the devices and the data they record and, in cases, transmit, as well as compromising the privacy of the individual using them.

 

1  2  3  4  Next Page 

Sign up for MIS Asia eNewsletters.