The IoT Security Summit 2017 in New York City in late October and the Security of Things World USA 2017 in San Diego last month were both packed with thought leaders from all parts of the IoT ecosystem – device manufacturers, telecom carriers, cloud providers, and early-adopter end users from vertical industries. They came, they saw, and they tried to conquer the many security challenges faced by organizations when implementing IoT initiatives . . . but came away with many unanswered questions.
One roundtable discussion at the San Diego event, “Risk and the IoT: How might IoT Shift the Liability Landscape?” led by Cherie Dawson, Global Cyber Product Leader at AIG Commercial Insurance, made it clear that few want to take on liability for ‘things’ that can happen in the new world of IoT. For example, we talked about what happens if a driverless car has an accident . . . who’s responsible? The auto manufacturer? The insurance companies? The software developer? These issues are still up in the air and in heavy discussion at many seminars where these organizations gather regularly to come up with answers. New regulation and frameworks for assessing risk and liability are likely solutions.
And the clock is ticking to create solutions to these potential problems as Spencer Brown, Information Security Specialist at General Motors, explained. They plan to offer five levels of driverless cars in the near future – from completely autonomous vehicles with interiors designed like your own living room with no steering wheels or front-facing seats, to options that allow the driver to take over operating the vehicle when needed. Driverless cars are coming soon to a street near you and as such, liability issues and more importantly, security issues, need to be locked down.
Energy, utilities, and local government sectors were heavily represented at both events with exciting IoT initiatives that will change the way consumers interact with these entities. Imagine being able to save money on your power bill by having sensors on your A/C unit that can automatically adjust to brown-out levels during peak usage, if you elect to do so. With data gathered from these sensors, utility companies will be able to offer consumers more cost-saving and time-saving services – all of which will require us to give up a bit of privacy with the collection of more data. These privacy concerns were discussed at both conferences in the General Data Protection Regulation (GDPR) sessions, where there was consensus that data privacy issues affecting EU citizens will spill over to the U.S. as many corporations have EU citizen data in their systems even if their headquarters are in the United States.
Michaela Iorga, Senior Security Technical Lead for Cloud Computing at the National Institute of Standards and Technology (NIST), gave us a glimpse of the future with her session on “The Yin-Yang of the IoT World: Security vs Privacy.” She provided the past, present, and future of intelligent virtual assistants – from Amazon’s Alexa to the Jibo robot and the brand new digital employee, Amelia. All will blur the lines of privacy and security, which must be addressed if these technologies are to deliver on the promise of convenience.
All this talk of new technology and new ways to digitally transform business was the central point of discussion at Coalfire’s icebreaker session moderated by Kennet Westby, Chief Security Strategist at Coalfire, on opening night in San Diego. A group of 25 attendees from all parts of the IoT ecosystem said it was clear that risk is on the move going back and forth and across all networks, applications, and environments – hence must be identified and secured. These are big challenges indeed, and it’s good news that constituents from the entire ecosystem are gathering at conferences like these where we can discuss how IoT is transforming the business world for the better, and how we can ensure that security is a foundational element in making that happen.