Finding the path to a secure Internet of Things (IoT) is like the old joke about a tourist asking for directions, according to Tom Uren. "Well if I were you, I wouldn't start from here."
"If you said to me, 'Let's create a world where people sell really insecure products that can be used to attack the very fabric of the internet, let's do that,' I think most people would say 'No, no, that's probably not a good idea.' You should probably step in and do something and stop that kind of world. And yet this is the world we're in," Uren told ZDNet.
"We're almost certain that things are in the wrong place now, but it's really hard to tell what the right next step is. But we should probably do something."
Uren is a visiting fellow at the International Cyber Policy Centre (ICPC) at the Australian Strategic Policy Institute (ASPI), and is co-author with research intern Eliza Chapman of the issues paper, The Internet of Insecure Things, released on Monday.
The key messages of this brief paper are that an insecure IoT is a threat to Australia's critical infrastructure; that it isn't entirely clear who's responsible for defending what; and that it isn't clear how standards and regulation would work or even help.
"Digital weapons are being used intentionally by nation-states to inflict physical destruction or compromise essential services," Uren and Chapman wrote, noting the presumed Russian attacks on Ukraine's power grid.
As an example of how a similar attack could affect Australia, they offered the severe storm that cut power to 850,000 customers in South Australia in 2016.
"Trams stopped working, as did many traffic