The Security of the Internet of Things is not about the Things

Alasdair Allan
3 min readNov 12, 2018

There is no real way to make a computing device really secure. It’s arguable therefore that a modern approach to security should be all about defence in depth, rather than any one individual security measure that would make a thing magically secure. Security is therefore about avoiding mistakes, rather than making them. About seeing the path ahead.

Cholla Cactus Garden, United States. Photo by Hubert Mousseigne.

Every layer of security helps, at least if is implemented in a realistic way with realistic expectations. However, it’s arguable that on their own most security measures don’t help all that much. So security is aways going to be an accumulation of measures, rather than the individual measures you take.

“Security is therefore about avoiding mistakes, rather than making them.”

If everything is hackable, and it is, and anyone that tells you otherwise is trying to sell you something, then what you need to turn things on their head. Don’t think about security, think about risk. There is really only two questions you should ask about the security of a thing, and that is “…what is the risk that this device will be compromised?” and then “…if it is compromised, what are the consequences?” Your approach to security should always be about the risk, the consequences, if you fail. Because at some point you will.

I’ve argued before that I think we’re approaching securing the Internet of Things in the wrong way, and that today’s unsubtle hacks of our things are probably going to be the least of our worries.

A hack where you know you’ve been hacked is not actually as scary as one where you don’t. One where you make decisions based on potentially compromised data is far worse. Even data that is only subtly wrong can have far reaching consequences if the decisions are costly, just ask anyone trading on the stock exchange if changing a number a fraction of a percent in one direction is going to be entirely consequence free.

Malicious data injection into autonomous systems of things is perhaps the most problematic of the potential attack scenarios that we’re facing, or will face, in the next few years. The concept of malicious data, so called “maldata,” and data spam aren’t in wide circulation yet, but it’s only a…