In the Internet of Things (IoT) era that we have entered, it is becoming apparent to me that nothing follows a linear progression anymore. The abstract models created by start ups, which can and often do disrupt the industry, promote new ways of engaging in business that are not common sense.

To illustrate this, I’ve made a list of examples that have turned industries on their head and that don’t follow any trends from the past.

Uber — Largest taxi company that owns no taxis
Airbnb — Largest accommodation provider that owns no real estate
Skype — Largest phone company that owns no telco infrastructure
Facebook — Largest media owner that creates no content
Alibaba — World’s most valuable retailer that has no inventory
Netflix — World’s largest movie house that owns no cinemas
Apple/Google — Largest software vendors that don’t write their own apps
SocietyOne — Fastest growing bank that has no actual money

As such, it seems quite natural to me that IT security needs to adapt in a way that is appropriate with the times we live in.

For some time now, we have been focused on the CIA triad and the task of ensuring the Confidentiality, Integrity, and Availability of information. However, as IoT becomes an integral part of both corporate and home users, it is rather natural that we enhance this model with another element: safety.

As Gartner emphasized in the Information Security Summit 2015 in London, safety is something that needs to be on the radar of security professionals and of CISOs, in particular.

The emergence of tools like HomeKit automation provides us with the opportunity to be able to control our environment from our smartphones, but it also might give us a false sense of security and safety.

The fact that there are WiFi kettles these days is amusing and pointless. (Ultimately, somebody still needs to fill the kettles up with water. )However, having weak to non-existent security controls in these IoT “things” is an open invitation for hackers to either cause a short circuit by continuously switching the kettle and off or to access other devices on your network through your unsecured device. Both scenarios would inevitably affect people’s safety and well-being, and they stem from false assumptions of security requirements.

The minute something is connected to the internet, whether that is a kettle, an IV drip in a hospital, or a nuclear reactor, security must have control fail-safes in place as part of the architectural designs to ensure human safety.

The interconnectedness of devices permeates physical security and creates opportunities for cybercriminals to potentially exploit vulnerabilities. It can be argued that aspects of physical security are being handed over to digital security as we move away from locked cabinets to encrypted online storage. The human safety element that came with a physical lock should be considered as part of the digital security regime with the same gravitas and due diligence.

Human safety is also dependent upon the safe handling and storage of personal data. There are numerous examples, including from the recent Ashley Madison hack, where there were reported suicides as part of the leak and extortion attacks for money.

Other examples where safety is compromised as part of poor IT security controls include the leak of 780 HIV patients a few months back.

We make use of an increasing number of cloud-based services that either have loosely defined terms or promote security and safety as a built-in feature of the underlying infrastructure.

Recent events like the hack of TalkTalk is not just a leak of usernames and passwords but also of full names, home addresses, and bank account details. These types of details go beyond a simple password reset, as you cannot change your name or your home address (at least not as easily). This is especially so for when your information is posted in places like Pastebin for the world to see and exploit.

And then we have the hack against VTech, which exposed the safety of an even more delicate population: kids. The leak of almost 7 million children’s records is an alarming precursor of events to follow, for the purview of human safety is in most cases limited within the scope of environmental compliance and does not extend to physical implications.

The same way stolen smartphones and laptops end up on eBay, these data-sets end up on the DarkWeb for use by groups like organized crime syndicates to pedophiles.

The safety implications must be part of the high level design for something intangible like a smartphone app to a WiFi refrigerator so that they don’t end up on services like Shodan.io.

-----

Originally Posted on Tripwire's Blog in 2015.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.