Only a few people would contest the assertion that the phenomenon of the Internet of Things (IoT) poses problems related to security, safety, and privacy. Given the remarkable industrial and consumer diversity of the IoT, one of the principal challenges and goals we faced when electing to write this book was determining how to identify and distill the core IoT security principles in the most useful, but industry-agnostic, way possible. It was equally important to balance real-world application with background theory, especially given the unfathomable number of current and forthcoming IoT products, systems, and applications. To this end, we included some basic security (and safety) topics that we must adequately, if minimally, cover, as they are required as a reference point in any meaningful security conversation. Some of the security topics apply to devices (endpoints), some to communication connections between them, and others to the larger enterprise.
Another goal of this book was to lay out security guidance in a way that did not regurgitate the vast amounts of existing cyber security knowledge as it applies to today's networks, hosts, operating systems, software, and so on, although we realized that
some is necessary for a meaningful discussion on IoT security. Not wanting to align with a single industry or company selling products, we strove to sufficiently carve out and tailor useful security approaches that encompass the peculiarities and nuances of what we think both distinguishes and aligns IoT with conventional cyber security.
A wide range of both legacy industries (for example, home appliance makers, toy manufacturers, and automotive manufacturers) and start-up technology companies are today creating and selling connected devices and services at a phenomenal and growing
rate. Unfortunately, not all are terribly secure—a fact that some security researchers have unrelentingly pointed out, often with a sense of genuine concern. Though much of the criticism is valid and warranted, some of it has, unfortunately, been conveyed with a certain degree of unhelpful hubris.
What is interesting, however, is how advanced some of the legacy industries are with regard to high-assurance safety and fault-tolerant design. These industries make extensive use of the core engineering disciplines—mechanical, electrical, industrial,
aerospace, and control engineering—and high-assurance safety design in order to engineer products and complex systems that are, well, pretty safe. Many cyber security engineers are frankly ignorant of these disciplines and their remarkable contributions
to safety and fault-tolerant design.
Hence, we arrive at one of the serious obstructions that IoT imposes in terms of achieving its security goals: poor collaboration between the safety, functional, and security engineering disciplines needed to design and deploy what we term Cyber-Physical Systems (CPS). CPS put the physical and digital engineering disciplines together in ways that are seldom addressed in academic curricula or corporate engineering offices. It is our hope that engineers, security engineers, and all types of technology managers learn to better collaborate on the required safety and security-assurance goals.
While we benefit from the IoT, we must prevent our current and future IoT from harming us as far as possible; and to do this, we need to secure it properly and safely. We hope you enjoy this book and find the information useful as regards securing your IoT.
