Look out security! Here comes the Internet of Things

With around 4 billion usable addresses available, the older IPv4 web addressing protocol has just about exhausted its address space, and that should propel increasing use of the 340-undecillion-plus addresses available through IPv6. We're going to need a fair chunk of that unimaginably large address space — as Steve Leibson put it, "We could assign an IPV6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100-plus earths" (source: IPV6: How Many IP Addresses Can Dance on the Head of a Pin?, Mar. 3, 2008) — by 2020. That's the point at which networking giant Cisco projects that we'll be consuming somewhere around 50 billion IP addresses of one kind or the other (mostly IPv6 by that point, obviously).

I draw my inspiration, and my ammunition, from a "Special Report on Cyber Security" that appeared on July 12 in The Economist (this article is behind a paywall, and available only to paid-up subscribers; apologies to those who don't qualify). In a segment entitled "Home, hacked home" (pp. 8-9) of that special supplement to the July12-18 print issue of the magazine, the following chart appears:

By 2020, IPv6 addresses will outnumber the whole IPv4 address space by 4:1, thanks in large part to "The Internet of Things."

This blog post isn't another lament about the exhaustion of IPv4 address space, though: It's a rumination on the sources of growth that Cisco projects in the foregoing graph as to where increases in Internet address consumption are most likely to come from — primarily, mobile communications, consumer electronics and medical devices, and industrial devices of all kinds. I read the graph to indicate that about half of the 50 billion total will fall into those categories, all of which are home to el cheapo, low-end SoC (system-on-a-chip) architecture with low-budget protocol stacks and software to match. More to the point, all of those devices come with equally low-end (and some would even argue "no-end") security to match. This market area is often called the "Internet of Things" (IoT) and represents the next big push of Internet technology into the way life is lived and run on our planet.

What does this mean for readers of this blog? I take those readers to be practicing or aspiring IT professionals, with interests in IT certification and possibly also some interest in one or more of the many aspects of information security (including vulnerability assessment, penetration testing, security policy, security models, risk assessment and management, governance and compliance, and a whole lot more). Thus, to those readers I make two observations: First, that this is a huge growth vector for security coverage and concerns; and second, that where there are problems and issues (some of which have already been found, and found to be quite troubling, as The Economist reports in the aforecited cybersecurity supplement) there are also great opportunities for personal and professional development and also for financial and professional success.

If you add the automotive sector to the three mentioned in the preceding paragraph (mobile communications, consumer electronics and medical devices, industrial devices) then you've captured most of the so-called IoT, whose age is dawning right now, and whose explosion into all aspects of our lives is imminent. This is an area where device makers need to think long and hard about security, and where the basic system building blocks and software components that run on them need to be architected with security in mind, as well as with the ability to patch and update for security improvements, enhancements and bug fixes aggressively and proactively supported.

To me, this speaks of great opportunities for interested IT professionals at all stages of the lifecycle for "Things on the Internet." During design, testing, and pilot phases, there will be opportunities for designers, engineers, software builders and product testers. In production and maintenance, there will be work in great volumes available to those who install, troubleshoot and maintain such devices. Also, there will be particularly strong opportunities for those who monitor the threat environment for the IoT, analyze risks and vulnerabilities, and design countermeasures, workarounds, and mitigation for the inevitable hiccups and exposures bound to occur as usage continues to spike in the decades ahead.

Near the article's conclusion, you'll find the following sentences:

Some companies are now trying to build security into their products from the start. Broadcom, a chipmaker, recently unveiled a microchip specially designed for web-connected devices that has encryption capabilities baked into it, and Cisco has launched a competition offering prizes for the best ideas for security of the internet of things. But many firms plunging into this market are small startups which may not have much experience of cybersecurity.

I have to guess this means that the current infosec bonanza, which has seen certifications like the CISSP, CISM, SANS GIAC and many more operate as something of a "gold standard" for IT professionals for the past decade and more, looks likely to continue (and grow dramatically) in the years ahead. Given that so much of our world is likely to be online so very soon, and that keeping that world secure is so important, infosec appears to offer glittering possibilities in large volumes for those seeking work for the foreseeable future.