Unsecured Internet of Things (IoT) devices are "appearing like lice", says Earl Perkins, a research vice president in the Security and Privacy team at Gartner. The culprits, he said, are the operational technology (OT) people.
"The OT people have found a [cheaper] way to replace legacy systems for collecting data about the performance of their industrial machines and environments," Perkins told the Gartner Security and Risk Management Summit in Sydney on Monday.
"Everybody thinks it's a great idea to connect stuff together. The industrial people are really happy about this, because they're short-handed, and they say, well I can run my SCADA network -- you know, the one that kind of controls the power grid -- I can do it from home on a weekend," he said.
There's an obvious problem with that. What happens when someone else comes in through the power grid's gateway?
"I think the technical term for that would be 'a bad day'," Perkins said.
That kind of problem should be expected, but there have already been some unexpected problems.
"You've got universities being attacked by their own vending machines," Perkins said.
We've previously joked about the potential for a SCADAgeddon, when a nation's critical industrial control systems would all be hacked at once, or even when all the household appliances turn evil as part of some Refrigergeddon.
Now it's actually happening, though these malicious cabinets are full of chicken crisps and chocolate bars.
"IoT makes that more likely, not less likely, because it's proliferating in an unmanaged way," Perkins said.
But back to the cyber lice ...
"The innovation is starting to outstrip our ability to be able to manage the complexity they create ... It's great to be able to innovate like that, and gather data like we never have before, or even to effect change like we never have before. But there's always a downside," Perkins told ZDNet.
"The downside is you create such a complex surface of devices and relationships, interchanges of data between the devices, in between applications, in between people, and all of those things, that you're now taxing the limits of what human beings can do to secure them."
The situation isn't helped by the lack of investment in IoT security.
"There isn't a lot of IoT security out there yet," Perkins told the conference, and Gartner's prediction is that the market will remain small for the next few years. "No matter how much we finagled with the numbers, we couldn't come up with $1 billion by 2020."
That might sound a lot, but Gartner is also predicting that by 2020 we'll have 20.4 billion connected IoT devices. Five cents per device doesn't buy you much security.
"The hottest-selling product today in IoT security is discovery, profiling, tracking. Number one. And the most ironic thing about it? It's not about security. It's just about finding stuff," Perkins said.
"After 2020, our numbers began to do some really weird things, and it began to look kinda bad."
A slide towards the end of Perkins' presentation listed some of the many things we need to get right about IoT security.
At the device level: device impersonation, device hacking, device counterfeiting, snooping, tampering, disruption, and physical damage. At the platform level: the hacking on the platform itself, data snooping and tampering, and sabotage of both the automation and the devices. And at the business process level: issues around business disruption, financial waste, espionage, and fraud.
"We won't get everything on the first round. We're still going to learn as we go. Humans are like that. Something breaks, we cry about it, and then we go fix it. Then something else breaks, we cry about it, and we go fix it, right? We're going to have to do that with IoT now. The window closed. I was really hoping we'd make it, but it's gone already," Perkins said.
Until then, brace yourself for the vending machine-led Cyber Chocolatocalypse.