6 Reasons Why IoT Security Is Terrible

The Internet of Things bears little resemblance to traditional IT systems—and that makes it harder to protect

Connecting physical infrastructure to the Internet makes systems vulnerable to new security threats. What keeps executives awake at night varies by industry, but cybersecurity problems are worsening everywhere.

Security officers in manufacturing worry about employees inserting infected USB drives into machines, while hospital administrators fear that malware will wipe out an unpatched MRI machine, or that a hacker will direct an infusion pump to administer a lethal dose of medicine.

Josh Corman, chief security officer at PTC, a computer software firm based in Massachusetts, has codified six reasons why security for the Internet of Things (IoT) is different from—and more difficult to tackle than—traditional IT security.

The first is that the consequences of failure are more dire. We’ve raised the stakes by connecting more physical systems and facilities to wireless networks. When cars or infusion pumps are hacked, people can die.

Which brings us to Corman’s second reason that IoT security is a special challenge: The adversaries are unlike any we’ve seen before. No longer are they lone hackers trying to make money or cause mischief. Today’s adversaries are nation states hacking systems in an all-out cyberwar.

Stuxnet, the virus that brought down Iranian centrifuges in 2010, may be the earliest example. Then in August 2017, a Saudi chemical plant was hit by a hack designed to cause an explosion and disrupt petrochemical manufacturing. Experts believe the attack was state sponsored and intended to send a political message.

Two more of Corman’s reasons come from timing and economics. When a firm buys a traditional IT system, it can count on the software company’s support for a set amount of time. Only in the last few months have some chipmakers and software vendors offered 7- and 10-year support for IoT products. Some still don’t provide any specified support contracts, or they limit the term to 2 or 3 years.

In some cases, that’s because the economics don’t yet make sense. A connected product that generates a small profit may require years of updates, patches, and security evaluations. In the future, the cost of goods sold may need to include annual security updates and patches.

Corman’s fifth reason has to do with the scary reality that many connected devices are built with software, hardware, and firmware that are created by different companies and pieced together at the end. It takes only one weak link to create a vulnerability, so if the company that created the telematics system for a car doesn’t update its software, the entire car becomes vulnerable. The IT world has a similar challenge, but through years of working together, manufacturers have agreed on systems to keep everything patched. [READ MORE]