10. Dealing with Security, Privacy, Access Control, and Compliance

IoT has dramatically enlarged the playing field with devices and data. While this brings many benefits, it also creates significant exposure to security and privacy vulnerabilities. IoT amplifies the access points for data and control, which in turn amplifies the intrusion points [1–3]. While we continue to build defenses in devices and networks, we also have to deal with a huge population of legacy devices, applications, and networks where inbuilt protection was limited [4, 5]. The threats are becoming more persistent and the impact more profound, sometimes debilitating to businesses. The threats are equally high for consumer IoT businesses as well as industrial IoT businesses. History is riddled with many examples of security breaches with significant impact. The discovery of Stuxnet [6] in 2010, a small 500 kb worm that infected the software for 14 Iranian nuclear power plants brought a lot of focus to this subject. However, there are examples from before. The Slammer worm disabled the Davis-Besse nuclear power plant in 2003. We continue to hear stories about credit card and another personal information breach all the time. A 2014 SANS survey reported 7% more respondents indicate a breach of their environments [1].