Preface

Only a few people would contest the assertion that the phenomenon of the Internet of Things poses problems related to security, safety, and privacy. Given the remarkable industrial and consumer diversity of the IoT, one of the principal challenges and goals we faced when electing to write this book was determining how to identify and distill the core IoT security principles in as useful, but industry-agnostic a way as possible. It was equally important to balance real-world application with background theory, especially given the unfathomable number of current and forthcoming IoT products, systems, and applications. To end this, we included some basic security (and safety) topics that we must adequately, if minimally, cover as they are needed as a reference point in any meaningful security conversation. Some of the security topics apply to devices (endpoints), some to communication connections between them, and yet others to the larger enterprise.

Another goal of this book was to lay out security guidance in a way that did not regurgitate the vast amounts of existing cybersecurity knowledge as it applies to today's networks, hosts, operating systems, software, and so on, though we realized some is necessary for a meaningful discussion on IoT security. Not wanting to align with a single industry or company selling products, we strove to sufficiently carve out and tailor useful security approaches that encompass the peculiarities and nuances of what we think both distinguishes and aligns IoT with conventional cybersecurity.

A wide range of both legacy industries (for example, home appliance makers, toy manufacturers, automotive, and so on) and startup technology companies are today creating and selling connected devices and services at a phenomenal and growing rate. Unfortunately, not all are terribly secure—a fact that some security researchers have unrelentingly pointed out, often with a sense of genuine concern. Though much of the criticism is valid and warranted, some of it has unfortunately been conveyed with a certain degree of unhelpful hubris.

Interestingly, however, is how advanced some of the legacy industries are with regard to high-assurance safety and fault-tolerant design. These industries make extensive use of the core engineering disciplines—mechanical, electrical, industrial, aerospace, and control engineering—and high-assurance safety design to engineer products and complex systems that are, well, pretty safe. Many cybersecurity engineers are frankly ignorant of these disciplines and their remarkable contributions to safety and fault-tolerant design. Hence, we arrive at one of the serious obstructions that IoT imposes to achieving its security goals: poor collaboration between safety, functional, and security engineering disciplines needed to design and deploy what we term cyber-physical systems (CPS). CPS put the physical and digital engineering disciplines together in ways that are seldom addressed in academic curricula or corporate engineering offices. It is our hope that engineers, security engineers, and all types of technology managers learn to better collaborate on the required safety and security-assurance goals.

While we benefit from the IoT, we must prevent, to the highest possible degree, our current and future IoT from harming us; and to do this, we need to secure it properly and safely. We hope you enjoy this book and find the information useful for securing your IoT.