IoT Isn’t Just About the ‘Thing’
Internet of Things (IoT) is the term du jour. As adoption increases the natural question becomes, how has it been secured? To understand an effective security strategy for IoT, we first need to understand where the value from IoT is generated. The ability to use data, collected from a variety of locations and sources, to drive decision making is a key asset of the IoT and one that will help organizations to reap the financial benefits it promises. Whether pulling information from sensors on an oil rig in the middle of the ocean or accessing extremely time sensitive data created by machines on manufacturing floors, it’s the ability to respond strategically, supported by data-driven decisions in the moment that create real value.
When we see opportunity for value creation, we know two behaviors are destined to follow. First, businesses will attempt to capture that value through individuals innovating, solving problems for customers and otherwise improving profitability and or capabilities. Secondly, so will criminals. If you want to see how aggressive criminals chase value, look at some of our reporting on the targeted bitcoin phishing campaigns. What is clear is that cybersecurity is set to be the issue that slows businesses down in capturing the value made possible by IoT.
“An IoT system will only be as secure as the most insecure component in the system.”
This statement is made repeatedly by security purists and is focused on the wrong goal. The goal is not to be secure. The goal is to be resilient. It is true that a critical vulnerability in a solution can certainly change the security posture of the organization using it. However, by understanding that a single insecurity in a component of a system is possible – and maybe likely depending on the device – it can be addressed by understanding the system wide security posture and how vulnerability is handled. Which systems are built with fundamental security (i.e. secure development lifecycles, secure boot, image signing, and runtime protections) and which are not? Which are actively managed and quickly patched, and which are not? What threats will the system face throughout its lifecycle? What environmental threats will it face? For example, a connected home will face different threats than a nuclear power plant. All of these factors contribute to a strategy for both IoT resilience and resilience in the value created by IoT.
Since the IoT is so data driven, how that data is protected and its associated privacy also plays a critical part of the discussion. It’s important that products and solutions are designed in a way that properly handles data security and privacy throughout the whole solution – from source (sensors) to processors to consumers of that data (a machine or person). Security and privacy should not be bolted on as an afterthought in IoT, but built-in from the beginning.
Intuitively, the mantra becomes: “security for IoT isn’t just about the thing. Security of IoT is about the whole system.”
With that in mind, three fundamental points help frame the discussion:
- Security must be an enabler. IoT will bring scale and that scale will drive management costs and new complexities that will immediately put tensions on security, data protection and privacy. Without building security in from the beginning, solutions will quickly evolve to meet business needs and security will be left behind.
- Every piece plays a part. Every component of the solution has a minimum bar. Things must have foundational security, data protection and privacy built in. The networks that connect and manage those things must pick up the slack on security by having higher levels of resilience and knowledge about things. The data consumers must robustly protect privacy. Every part of the system has a role to play.
- Everyone needs to get into the act. Who is deploying IoT in your enterprise? Your facilities management people, your value chain organization, your lines of business. This is not “just” an IT security conversation anymore. Multiple stakeholders are making decisions about deploying IoT projects, which means everyone needs to be thinking about security.
An overarching theme is one of collaboration and partnership. We are all in this together.
In follow on blogs, we’ll talk about these three fundamental elements in more detail and propose solutions for how to address each. Please join the discussion with questions and comments.