SAN FRANCISCO Nov 19 The rapid spread of utility meters, medical equipment and even cars connected to the Internet is drawing scrutiny from regulators and big business suppliers worried about privacy and security issues.
Though security researchers have shown they can hack into power meters, medical devices, industrial equipment and even moving cars, the fragmented market and regulatory structure have done little to improve defenses against malicious hackers.
Now a number of business used to providing more traditional Web security are moving into the market, and the U.S. Federal Trade Commission will hold a public workshop on the subject on Tuesday.
The FTC session will include panels on connected home devices and cars and feature technology executives, regulators as well as academics and advocates.
In announcing the workshop in April and soliciting comments, the FTC asked how such gadgets can be updated when security holes are discovered and how to weigh privacy concerns against societal benefits from aggregating data provided by health-tracking gadgets.
The Department of Homeland Security has also stepped up its scrutiny, coordinating disclosures of new research and warning device manufacturers as well as the general public when flaws emerge.
Smart meters are getting much of the attention so far, because their distribution is expanding rapidly and because the Obama administration's concern about the impact of a blackout or other disruption from hacking the power supply.
February's executive order on cybersecurity stressed the need for critical infrastructure providers including utilities to work on developing security standards, though they would remain voluntary without new legislation.
The problems vary by device and by type of business. Many industrial controls were not designed to be connected to the Internet and now are. Others have means for "backdoor" access by vendors that can be discovered and used by hackers. In both of those cases, access is too easy.
Other gadgets have the opposite shortcoming. Without a regular, sure-fire way to accept and install updates once problems arise, the gear doesn't have enough access.
"Everything is becoming connected quickly, but a lot of the time it isn't being done with security in mind," said Frank Dickson, a network security industry analyst at Frost & Sullivan.
One of the broadest problems is the inability of many devices to know exactly what they are communicating with.
Dallas-based Entrust Inc, which already provides authentication for banking and other websites and physical site access, has expanded into smart meters and the like, said Senior Product Manager Chris Taylor.
A potentially much bigger player, telecommunications giant Verizon Communications Inc said it is joining the market Tuesday.
Verizon, which already offers a variety of Web security services, said its system would use digitally signed certificates and remote cloud access to verify that machines are what they say they are when they connect to each other.
"The potential is in the millions [of instances] for larger-scale applications," said Eddie Schwartz, vice president at Verizon Enterprise Solutions. He said Verizon would focus on the power, transportation and medical industries. "Security is pretty much of a mess for anything that's not traditional" information technology.
Analyst Dickson said Verizon's size and the prospect of toughened regulations would make Verizon's offer "compelling" for some customers.