Internet. Things. Add the “Of” and suddenly these three simple words become a magic meme – the theme we’ve been hearing all week at CES, the oft-heralded prediction that may have finally arrived in 2013.

While not devoid of hype and hyperbole, the Internet of Things (IoT) does represent a revolution happening right now. Companies of all kinds – not just technology and telecommunications firms – are linking "things" as diverse as smartphones, cars and household appliances to industrial-strength sensors, each other and the internet. The technical result may be mundane features such as intercommunication and autonomous machine-to-machine (M2M) data transfer, but the potential benefits to lifestyles and businesses are huge.

But … with great opportunity comes great responsibility. Along with its conveniences, the IoT will unveil* unprecedented security challenges*: in data privacy, safety, governance and trust.

It’s scary how few people are preparing for it. Most security and risk professionals are so preoccupied with putting last week’s vulnerability-malware-hacktivist genie back into the bottle, that they’re too distracted to notice their R&D colleagues have conjured up even more unpredictable spirits. Spirits in the form of automated systems that can reach beyond the digital plane to influence and adjust the physical world ... all without human interfacing.

#### Andrew Rose ##### About [Andrew Rose](http://www.forrester.com/Andrew-Rose) is a Principal Analyst at Forrester Research focusing on security and risk professionals. His expertise includes information security and risk management; ISO27001 frameworks; information risk strategy; and governance, risk, and compliance (GRC) initiatives. This piece draws partly on Rose's Forrester [research](http://www.forrester.com/home#/Prepare+Your+Security+Organization+For+The+Internet+Of+Things/fulltext/-/E-RES85001) report.

The Loopholes ————-

Security loopholes can occur anywhere in the IoT, but let’s look at the most basic level: the route data takes to the provider.

Many smart meters, for example, don't push their data to an internet service gateway directly or immediately. Instead, they send collected information to a local data collation hub – often another smart meter in a neighbor’s house – where the data is stored until later uploaded in bulk.

Placing sensitive data in insecure locations is never a good idea, and the loss of physical security has long been considered tantamount to a breach. Yet some early elements of the IoT incorporate this very flaw into their designs. It’s often an attempt to compensate for a lack of technological maturity where always-on network connectivity is unavailable or too expensive, or the central infrastructure does not scale to accommodate the vast number of input devices.

As the IoT crawls through its early stages, we can expect to see more such compromises; developers have to accommodate technical constraints – by either limiting functionality or compromising security. In a highly competitive tech marketplace, I think we all know which of these will be the first casualty.

And it’s not just security: it’s privacy, too. As the objects within the IoT collect seemingly inconsequential fragments of data to fulfill their service, think about what happens when that information is collated, correlated, and reviewed.

Because even tiny items of data in aggregate can identify, define, and label us without our knowledge. Just consider the scenario of the IoT tracking our food purchases. At the innocuous end of the privacy spectrum, the frequency and timing of these purchases can easily reveal we’re on a diet; at the other end of the spectrum, the times and dates of those purchases could even reveal our religion (Jewish holidays, Muslim fasts).

Bottom line: As technology becomes more entwined with the physical world, the consequences of security failures escalate. Like a game of chess – where simple rules can lead to almost limitless possibilities – the complexity of IoT interconnections rapidly outstrips our ability to unravel them.

By accident or by design, useful IoT solutions could mash together, introducing or accelerating black swan events: catastrophic failures that are unexpected but obvious in hindsight. The key to addressing these is to plan for and address these scenarios, now.

>With great opportunity comes great responsibility. Along with its conveniences, the IoT will unveil unprecedented security challenges.

The Evolutions ————–

The Internet of Things will mature in three main stages.

Stage 1: Personification of Dumb Objects

__**__In the initial stages of the IoT, identity is provided to selected objects through QR codes, for example. Value to users here comes from the interaction of these identities with other intelligent systems, such as smartphones or web services. Think about “smart” car keys that don’t have to be taken out of the pocket to allow the car to start. Unfortunately, these devices can and have already been subverted.

Stage 2: Partially Autonomous Sensor Networks

__**__In this intermediary stage, the "things" in the IoT develop the ability to sense their surroundings, including the environment, location, and other devices. Value to users here comes from those things taking action, albeit limited in scope, based on that information. Think about a residential thermostat that can be adjusted via a smartphone and authenticated web service, or that may self-adjust based on its awareness of the homeowner’s location (e.g., switching on the heating/cooling as it detects the owner nearing home). While a centralized failure here leaving vast numbers of people without heating may be tolerable, imagine the scenario where a hacktivist collective or state-sponsored attacker switches off an entire country’s electrical supply as an act of punishment.

Stage 3: Autonomous Independent Devices

__**__In this final stage of maturity for the IoT, technology availability, capacity, and standardization will have reached a level that doesn’t require another device (such as a smartphone or web service) to function. Not only will the “things” be able to sense context, but they will be able to autonomously interact with other things, sensors, and services. Think about drug dispensers that can issue medication in response to sensing conditions in the human body through a set of apps, sensors, and other monitoring/feedback tools. It requires little imagination to consider the potential disaster scenarios that could originate from system failures or malicious threats in this scenario.

Now, let’s take one popular and heatedly discussed example from CES to sum up these stages of maturity: the smart refrigerator. In the personification stage (1), the refrigerator owner scans cartons of milk with his smartphone, which triggers a reminder when the milk expires. In the semi-autonomous sensor network stage (2), the refrigerator detects the milk on its own and issues reminders across a broader range of connected apps. In the autonomous and independent stage (3), the refrigerator orders replacement milk just before it’s empty or expires – entirely on its own.

I am hard-pressed to find a catastrophic scenario associated with the refrigerator – other than the refrigerator spending your entire month's pay on milk or becoming self-aware like Skynet – but the fact remains we can’t predict how things will look. That makes regulation and legislation difficult.

Even the European Union Commission, with its strong track record on privacy issues, acknowledged that its well-regarded Data Protection Directive law would be unable to cope with the Internet of Things:

The technology will have moved on by leaps and bounds by that stage; the legislation simply cannot keep up with the pace of technology.

So it's possible that frameworks around regulating the IoT will parallel thePCI Data Security Standard, where an industry recognized the need for regulation and introduced its own rather than wait for government intervention.

Either way: Given the wide-reaching impact of the IoT, formal legislation and government involvement is almost certain. Especially when we consider the safety risks of automated systems interacting in the physical world – governments won’t be able to stand by silently if autonomous decisions endanger lives.

People can somehow take other people doing bad things, but they won’t allow their machines to make such mistakes.

Editor: Sonal Chokshi @smc90