Securing the IoT: Protecting Lives Before Hackers Strike

\n

Robert Haim of ACG Research explains why the Internet of Things (IoT) must be fortified before malicious actors can cause harm.

\n

Former U.S. Vice President Dick Cheney famously disabled wireless access to his pacemaker to avoid a terrorist‑induced heart attack. In the 2007 film “Live Free or Die Hard,” criminals hijacked Washington, D.C.’s traffic signals, turning all lights green and creating chaos. These real‑world and fictional incidents illustrate the lethal potential of compromised IoT systems.

\n

With billions of sensors and actuators connected worldwide, weak security is only a matter of time before attackers seize control, trigger dangerous behaviors, or manipulate human operators into making wrong decisions.

\n

How do we stop this before a tragedy occurs? The answer lies in robust security practices tailored to IoT’s unique constraints.

\n

Spot the attack. Stop the attack

\n

The challenge of achieving a “secure” IoT network is that security is inherently a negative goal – you must keep adversaries at bay without knowing their exact capabilities. Many IoT endpoints lack the memory for sophisticated security stacks, forcing us to rethink protection strategies.

\n

\n

“We have to protect the device itself and plan for what happens if it’s compromised,” Haim notes. Shockingly, 55% of companies cannot pinpoint the source of their threats.

\n

Look at actions, not only identity

\n

Mark McGovern of CA Technologies stresses that user behavior outweighs credentials. “Whether it’s a financial institution handling 100 million users or a cable company, the real question is what an authenticated actor does, not who they claim to be,” he says.

\n

CA’s analytics monitor patterns and flag anomalies that diverge from historical behavior, reinforcing machine‑learning models and strengthening trust.

\n

Start with threat modeling

\n

John Michelsen of Zimperium highlights the necessity of device‑level threat modeling. “Before any IoT product reaches market, identify every possible exploitation vector at the device, network, and application levels,” he advises.

\n

At Black Hat 2017, 13 of 15 automated door‑knobs were compromised within hours, underscoring that at least 70% of consumer IoT devices remain hackable.

\n

Everyone must look outside

\n

Roark Pollock of Ziften argues that internal testing alone is insufficient. “External audits, partner certifications, and open‑source community reviews are essential to validate security controls,” he says.

\n

\n

“Don’t rely solely on your engineers,” Pollock warns. External experts and community scrutiny can uncover hidden vulnerabilities.

\n

Use artificial intelligence to police identity

\n

Hank Skorny of Neustar explains that identity is probabilistic. “You must continuously challenge and refine identity assertions using machine‑learning, monitoring every interaction in real time,” he states.

\n

AI‑driven models detect malicious patterns faster than human analysts, enabling instant intervention.

\n

Prove trust across multiple domains

\n

Data protection laws like HIPAA or national security statutes require strict safeguards. Zebra Sports, a provider of athlete telemetry, exemplifies how sports teams apply the same rigorous security principles used in military and industrial contexts.

\n

John Pollard of Zebra Sports notes that capturing unprecedented performance data for NFL teams demands identical protection as any sensitive telemetry, from missile guidance to hospital equipment.

\n

Create trust zones — and enforce them

\n

Not every user needs the same access. Hospital IT staff may need to verify dialysis pump data without viewing it, while field technicians must have limited, role‑based access. Sanjeev Datla of Lantronix emphasizes that trust zones should be defined by responsibilities, not just credentials.

\n

Behavioral analytics help identify outliers—actions that deviate from a user’s normal pattern—triggering alerts and requiring higher‑level approval.

\n

Never forget: everything is connected

\n

Pollock observes that modern IoT devices are essentially full‑blown PCs, yet they are often treated as “dumb” sensors. “All connected devices must be monitored for both state and hygiene. Hardening, behavioral monitoring, and external verification are non‑negotiable,” he asserts.

\n

When IoT devices or applications are vulnerable, lives may be at stake.

\n

The author is Robert Haim, principal analyst – Business Analysis & IoT, ACG Research