Not long ago, Dick Bussiere visited a power station. The visit was part of his job as Tenable Network Security's principal architect for the Asia Pacific Region. And what did he find? A machine running Windows 2000 Server connected to the network, in control of things.
That operating system is half a decade past its use-by date.
Bussiere wasn't surprised, however. In the world of the Internet of Things, all these things have a much longer life cycle.
"What's your definition of a thing? My definition of a thing is any computing platform that has a non-traditional interface with respect to a human being," Bussiere told ZDNet on Wednesday.
By Bussiere's definition, a smartphone is still a traditional interface, just like a desktop PC, because it's designed to interact directly with a human who's driving it in real time. But devices in a power station, controlled from a geriatric server, not so much.
"A thing is probably something that you're going to want to set and forget, but this thing can communicate with other entities in an intelligent way to accomplish an objective -- monitoring something, switching lights off and on, whatever you want to do."
And these things -- older ones like those in the power station, and newer ones like smart cars and smart refrigerators and Nest thermostats and all the rest -- aren't things that you replace every few years on the whim of fashion. They last for years. Maybe a decade or two.
Which raises the concerns that many of us who pay attention to security have raised before.
"Over a long life cycle like that, who's going to own maintaining these devices? Are the companies going to patch them? Are the companies going to continue to exist, as these life cycles go on, and on, and on? In most cases, probably not," Bussiere said.
"Over the long term, these things are not going to be properly maintained at all, and likewise, they're probably not going to be tested appropriately from a security perspective."
It'll be even worse than the Android fragmentation I wrote about last week, especially with cheap devices like light bulbs and household trinkets.
"People are going to use whatever copy of Linux they can get, whatever [software] stacks they have, whatever the cheapest possible thing they can get their hands on, to keep the cost down," Bussiere said.
There'll be problems with higher-priced items too.
"Car manufacturers are good at making cars, and good at making machinery. They don't have a lot of experience in heavy-duty security testing on electronic devices that are interconnected, nor do they have the skill sets required to do that within their organisations," Bussiere said.
"It's a lot different from an operating system that gets hammered on -- day in, day out -- by just about every hacker known to man."
Bussiere thinks there should be some sort of minimum cyber safety standards for the Internet of Things. I agree. Just as we have standards for electrical appliances, to help make sure we don't fry our faces before breakfast, we need some sort of label that says, 'Yes, this device has been tested, and will get patched'.
"There needs to be a standardised way of ensuring that this internet-attached appliance that you're putting someplace on your network meets certain baseline levels of security. I think that has to happen as an industry," Bussiere said.
This goes double for anything that's part of a life safety system, such as cars or medical devices.
"Anything like that, the cyber security of that device, I would venture to say, is equally as important as the physical safety of that device from an electrical perspective. Because if a bad guy disables the brake system in your car, you die."
A start has been made with the OWASP Internet of Things Top Ten Project, but again, that's only a start.
What Bussiere has in mind is something along the lines of the Wi-Fi Alliance and its Wi-Fi Certified label. That took time, but eventually it meant that we had more secure wireless networks.
Ah yes. Time.
As I wrote last week, it took half a decade for Microsoft to fix the deep security problems with Windows, and that was all happening inside a single organisation, with a strong CEO to drive the change. By comparison, the Internet of Things is a hundred thousand random Kickstarter-fed projects with the attention span of a gnat.
I suspect that another of Bussiere's thoughts is bound to be true: "There has to be a catastrophic event before people start to take it seriously."