Why is securing the Internet of Things so difficult?

It’s inevitable, isn’t it, that the security industry should be all over the Internet of Things. If you’re feeling like you’ve heard it all before, you probably have. Top of the list of topics is that the ‘things’ themselves are going to be insecure. They’re running operating systems and software, neither of which may have been considered with security in mind.
The consequence is a massive increase in what security pros know as the ‘attack surface’, that is, the scope of stuff that can be targeted by malicious hackers, fraudsters or other nondescripts. The resulting challenge is very real, particularly given the personal nature of information being captured — from heart rates to locations — and its potential for misuse.
In the spirit of a brainstorm, let’s make an assumption however: that there is nothing we can do about it. The genie is well and truly out of the bottle, let us say, and our every movement and behaviour can and will be logged for personal, commercial and governmental purposes. While we may benefit, we also may need to live with the security risks.
This ultra-transparent scenario may not become the case, but even if it doesn’t, there will be situations that make it seem that way. What is more, the devices that we rely upon will inevitably become both smarter, and more susceptible to attack. We need to face up to our complicity in this: who thinks about data security before buying a fitness device, for example?
By seeing such risks as read, we can bank them and move on to other areas of concern. The above covers data, but in its most granular sense — facts about individuals, or login details, are a risk in themselves. But there’s a deeper level — that the data is open to manipulation.
For sure, insurers may refuse to cover an individual whose fitness device shows the occasional heart flutter. But what if the data stream itself is modified, through malice or through incompetence, such that numerous heart rates incorrectly indicate a flutter?
Some have speculated about the potential to modify agricultural data as a way of manipulating futures markets. Equally, a home automation company could rig your systems so it made more money — for example, turning on the heating for 29 seconds extra every day. Not a figure to register on one thermostat, but one that would ring up a large amount of small change.
So, not only do we need mechanisms to protect the confidentiality of our data, based on the same assumption that the bad thing is reasonably likely to happen, we also need to consider how to prove that the data is valid.
One possibility is to make every single sensor reading linked to a security key, but the phrase sledgehammer and nut springs to mind. Equally, the scale of the solution would be too costly to be achievable.
Is there an answer? Yes indeed, and it lies in taking a leaf from the works of the Jericho Forum, that body of Chief Information Security Officers founded in 2002 and disbanded a decade later, when the group deemed its work on ‘de-perimeterisation’ to be complete. Complete? Really? How could information security ever be complete?
The CISOs realised that they needed to manage data wherever it was, rather than trying to keep it in one place — and to do so, they needed a way to identify who, or what, was creating or accessing it. In November 2010 they announced the Identity and Access Management Commandments, a set of design principles technologies need to adopt.
This finding — that identity needs to be present — is profound. A corollary principle has been adopted by Google in its Beyond Corp initiative for its internal systems, which treats networks as insecure and instead, enables data access based on being able to identify the device, and the person, making the access request.
We could take this insight one step further. That data which cannot prove its provenance (i.e. from an identifiable person or device) could, or even should be treated as invalid. The notion of security by design is a start, but perhaps it will only be through identity by design that we can architect the Internet of Things to be both transparent and trusted.