Six Questions for IoT Security Expert Dan Lohrmann

Whether you're instrumenting your factory with sensor networks or designing a consumer product that leverages Internet of Things technology, Security Mentor's chief security officer says you need to set your security strategy early.
By Mary Catherine O'Connor

IOT Journal: IoT security can be a real vulnerability, but it's also an opportunity. I've seen some IoT hardware players acquire security software companies recently, and Honeywell and Intel just announced a partnership through which they're integrating Intel Security's McAfee technology with Honeywell's Industrial Cyber Security Solutions for industrial IoT applications. Where are you seeing the most growth and potential in the IoT security market?

Lohrmann: At the moment, IoT is still a buzzword globally for many organizations with too much hype and plenty of confusion. In some cases, companies are just rebranding and marketing their latest version of a traditional product to become an IoT product. Nevertheless, the low-end health market—smart wristbands, etc.—and the higher-end smart-cities and industrial markets are taking the lead.

There is a lot of opportunity in integration of disparate systems and platforms. Industry needs to adopt common standards and business models for IoT, and it must address significant baseline issues regarding privacy and security. Sadly, far too many IoT devices are coming out with minimal security controls at all in their 1.0 versions.

As for advice: I've been telling security pros for more than two decades to "follow the money." The same applies with IoT: "Get on board the boats leaving the dock." As new products become hot sellers, there will be a huge need to securely configure, monitor and manage these IoT devices and platforms with security controls and, sadly, after-market enhancements to security that was not built in up front.

As far as connected cars, health care and smart homes, a lot of money is going into research and new, innovative opportunities, but consumer products, like smart appliances, are slower to take off in most markets due to high cost. The prices will start to drop in 2016 to 2017.

The big auto companies, health-care products companies and large tech companies are investing heavily in IoT—such as Cisco reinventing itself as an IoT company.

IOT Journal: Google-owned Nest is likely the smart-home product best known by consumers. Last year, Google purchased DropCam, a maker of streaming security cameras for the home—and the subject of a widely cited hack. Nest recently announced the Nest Cam, the first new product to leverage the DropCam technology Google acquired. What do you think of the security and privacy protections that Nest uses?

Lohrmann: Like many IoT products, Nest has security holes. One of those reported vulnerabilities was a hardware backdoor that anyone with a USB port could use. I like this Black Hat presentation from 2014, which pointed out the strengths and weaknesses inherent in Nest at that time.

I would say that I have little doubt that Google will close the Nest security holes as quickly as they can. Nevertheless, there is no doubt that we will continue to see problems with Nest security and privacy features going forward.

I suspect that, taking a big step back, people will trust companies like Google and Microsoft more than smaller startup companies with their security, despite these setbacks, because of their name and the trust they have built with consumers. Where new companies are very successful, as Nest was before being acquired, I think you will see those companies acquired and rolled into the tech giants.

For example, look at the security and performance around Google's cloud offerings. Yes, there have been failures and even network outages. And yet, the overall use continues to grow dramatically. I predict we will see the same with IoT.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations