I’ve been watching the view of corporate America suddenly discover the chittering of the Internet of things. Since much of the impetus of IPV6 was to enable this wholesale change toward a global grid of information enabled devices we shouldn’t be to surprised. The benefits of devices telling us that they need maintenance, or that things are interacting to make our lives better is good. I like that ambulances can interact digitally with traffic control systems and peoples lives can be saved. There is good in making things simpler to use, or increasing capability.
There is risk in having systems that can be exploited. As in our ambulance case it wasn’t very long before the strobe detection systems were being hacked by road users. Since traffic signals have a infrared light strobe detection unit mounted on them people just built their own. Now some systems have secondary controls. In some locations like Montgomery County Maryland the lights are controlled by archaic systems that they are trying to replace by computers. This is the evolution of the Internet of Things.
Different communities discuss the various aspects of this evolution towards mass device connectedness. We have cyber physical systems which can be anything from a thermostat to an automotive car alarm. I do worry that we focus on this connectedness of the Internet of things as being TCP/IP based from the Internet to much. The reason is that wireless and multi-band non TCP/IP communication like Bluetooth is part of the environment. This variability in connection type is why the military originally came up with the concept of the global information grid.
We have multiple ways to connect devices. Those devices can be widely varied. The dependencies between the devices is rarely discussed. We have a history of those devices being exploited once fielded. There is no reason for this pattern to change.
I have used an example in my classes of how regulation, law, and policy can be smashed up together to create strange issues. The Internet of Things concept adds some interesting fuel to this. Consider the valid, real world, likely to happen, and already we have evidence to support scenario:
Joe shows up for work one day. He is a great worker but he now has a medical implant that requires internet connectivity. The note from his doctor says that he will need an accommodation of an Internet connection. The connection must be a wi-fi connection. The network operations folks say there is no way to add a device to the network without having it go through a review. It would be a violation of policy. The human resources people look at the American Disabilities Act and the principle of reasonable accommodation and know the law is going to say give the connection. The risk management people are terrified that if somebody hacks Joe’s medical implant while on their network they will incur extreme liability. So the entire fiasco ends up on the General Counsel’s desk. What do you think the attorney without a information technology background is going to do?
There is no one, best, greatest answer to this scenario. There are all kinds of factors that add and detract to the concept. If the company has even one personally owned device at any level connected to the network (I’m looking at you sys-admins) then the answer will likely go one way. If the company has a BYOD policy the lean is heavy. The attorney will look at the case law of reasonable accommodation from different angles. There really is no answer to this case. It just illustrates the concept of how the Internet of Things and policy interact.
There are a lot of people out there looking at concepts and use cases for the Internet of Things that have significant focus on a particular aspect. For the CXO wanting to know about this particular topic they are going to have to think about the inherent ramification of an edgeless network. The entire concept of defense in depth has been eroded by social media and hyper connectedness. With the Internet of Things the many to many model will become even more inherent. How many corporations are looking at all the Internet enabled vehicles in their employee parking lot as possible repositories for corporate information? The thumb drive (I hate them too) that carries documents from the office to home and back also has the music collection. It might be attached to the car in the mean time. The car has bluetooth and Internet connections. Sneaker net and what we might call iPod net are growing exploit paths.
Trying to get people to think about this topic it is hard to explain that what we think we control is likely the thing we least control. The corporate network is a chaotic not because users suck fart wind, but because users are making the company money. They will do whatever it takes to achieve profit motives despite corporate policies that get in their way. In the Jurassic Park movies the mathematician says “life will find a way”, and you might as well apply that to users too. My thesis is that the Internet of Things is going to drive a change in information technology governance and information security practices. There is no way that hierarchical relationships will provide the security necessary for this evolving use case. The exploit successes have been proving that for 40 plus years. This new model of connections and use cases just drives another nail in that already dead concept of certification and accreditation of networks. The question is what new security paradigm in the era of everything connected will replace the old paradigm?
Just some things to think about.