Start with a Bottle of Bayer
James's petrol station adventure hints at some of the extremely vexing security concerns created by device networking. Mitigating those risks will cost the CSO or the CIO charged with data security time, dollars and probably a fair amount of aspirin as well.
First, even if non-computer devices (for example, petrol pumps) had the same security profile as conventional networking equipment (such as PCs and routers), security costs would go up because risks rise exponentially with the number of nodes on the network, and device networking is all about adding nodes. But non computer devices are far more vulnerable than the usual stuff of networks. Most come into the system with no support for network security. No encryption, virus scanners, access control lists or patching support. All these have to be created or added by someone (again, you). Employee training costs are higher because most devices come out of environments in which no one thought twice about security - or at least not about network security. If you thought getting people to follow smart practices with desktop computers was tough, wait till you try training them to think about protecting a networked air conditioner.
Second, the applications for these devices tend to be more dependent on low-latency, real-time connectivity than traditional Net functions like e-mail or Web surfing. Voice over IP (VoIP) is a classic example of an application that requires low latency, but you don't want a camera feed or a door lock hung up by a server crash either. Some security professionals believe that wherever possible, networked devices ought to have enough local intelligence to keep services flowing in case of a network failure (a conclusion that the management of Lance James's Arco station probably has arrived at independently).
Perhaps worst of all, device networking provides sociopathic teenagers, disgruntled employees and overaggressive competitors with lots of extremely cool new targets for mischief and mayhem, like locking your elevators, e-mailing files from the printer queue to random recipients, or turning VoIP phones into intercepts for every word spoken in their vicinity. A networked GPS is as able to track a vehicle's whereabouts for a hijacker as it is for a manager.
So who has the answers to device networking's questions? In fact, the CSOs and CTOs of network security companies are the ones who seem to have thought most deeply about the subject, both because it is part of their culture and because a successful hack against a security provider might affect not only its network but its brand as well. These luminaries spell out a couple of ways to approach policy and architecture to help secure the device-ridden networks of the future.
First off, there is the extreme tack: Taher Elgamal, CTO of Securify, a network management software company, doesn't allow devices on his network at all. One reason is that he expects spammers to discover networked printers any day now and doesn't want to put his company in their sights. "Fax spam is bad enough," he says.
Mike Hrabik, CTO of security services provider Solutionary, on the other hand, was an early adopter of networked devices, including cameras, power supplies, air conditioners, generators and printers. According to Hrabik, Solutionary has used VoIP for four years, which is like having had e-mail for 20. His security solution was in its own way as extreme as Securify's: He connected the devices with their own IP network, with separate cabling.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.