SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
It’s time to move on from “what is the Internet of Things” discussion if you want to secure it
Thu, 13th Oct 2016
FYI, this story is more than a year old

Among Gartner clients we are now beginning to see IoT “definition fatigue” set in as the glitz and excitement surrounding the concept settles into the hard business light of day.

The “discovery” of what a pervasive digital presence does to an industrial, commercial or consumer environment is now clothed in thousands of different examples that leave some people scratching their heads and saying “is that what they call the Internet of Things, or is it something else?”. Let me answer that for you: forget about it.

Labeling something “IoT” for whatever reason isn't as important as we're making it out to be. What is important is that you have recognised something is happening that may not be within your currentof experience and therefore may not entirely know how to secure it.

Besides, the IoT term never was useful in getting across its real value to business or personal outcomes, something a good definition does. This pervasive digital presence is there to deliver specific industrial and commercial business outcomes, or to deliver specific social or personal outcomes.

We engage in IoT because we want to “do something” new or better, whether it is to have unprecedented visibility into a process within a physical system that is equipped with a rich sensor network or to be able to remotely make fine-tuned changes to the operation of a machine or device that makes physical things really happen, like autonomous automobiles, power plants or home security systems. One great irony is that the IoT as a concept is not new at all– that was why I said “discovery” above with quotes.

Industrial automation and control engineers were shaking their head and laughing about all of the fuss when IoT broke into our business consciousness and discussions because they've done a form of IoT since the steam engine and telegraph. The engineering community as a whole is familiar with IoT concepts and have been for some time.

Commercial and consumer verticals are now using sensors and actuators in large quantities on wireless networks and believe they've discovered the Next New Thing when they've really just gone Back to the Future.

Gartner's definition of an IoT device is “the network of dedicated physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment.

The IoT comprises an ecosystem that includes things, communications, applications and data analysis.” Note the word ecosystem. This is key to understanding why obsessing over the definition is not helpful, particularly as a security decision-maker. The ecosystem of IoT has elements that already exist in the form of IT, operational technology (OT) and cyber-physical systems.

This is one reason for some people's confusion: when you think of IoT and focus on the “thing” or device, you miss the fact that all of the other elements of the ecosystem may be plain old IT, OT or cyber-physical systems.

But don't be deceived– just because there are familiar elements to secure, it doesn't always mean they are secured exactly as they were as standalone systems, especially when IoT devices are involved. To give them their due, devices do introduce some wild cards into the security poker deck.

To understand IoT and the role it plays in security, you must focus on the business outcomes of the project or program you're delivering. Think of these as the “outputs” or reasons why an industrial, business or personal process is performed.

You must truly understand the business reason for the IoT device's presence. If there is an unusual device and network that helps deliver the outcome, if the data generated or the application written is different from what you are accustomed because of the role this device must play in delivering the outcome, you've now begun to understand the IoT ecosystem difference.

From a security perspective, these are examples of concerns the presence of IoT in an initiative raises that may be different from your previous experiences:

  • Type of device: This has been the focus to date for IoT. The nature of the device, its construction, its power needs and processing capacity, whether it can be a trusted execution environment, whether it can have a security agent or hold a key, whether it is tamper-proof– these are all issues to consider;
  • Type of device firmware/software: Assuming there is processing capacity, whether the software follows secure design principles, whether it undergoes testing and certification to some industry standard, its relationship to a gateway (appliance, platform or cloud) are all security issues to be addressed;
  • Type of network: Contrary to popular belief, not every IoT device in the world will use WiFi. They may not even use the Internet Protocol (IP), though most will. Understanding how the device uses the network(s) and for what purpose, what type of network architecture, the nature of segmentation and isolation of multiple networks of IoT elements (device network, gateway network, cloud network, etc.) are all security concerns;
  • Nature of data flow: type, volume, variety, velocity, variability of the data generated by the device and transmitted to the device in addition to the normal considerations of data-at-rest, data-in-motion. IoT data security considerations will often be very dynamic and include data types not normally seen by IT, but OT and cyber-physical — or vice versa;
  • Situational awareness of the elements as a whole: having discovery and visibility capabilities will be crucial, since many of these devices and networks may have different ways of communicating their presence and characteristics. Identifying a device and its associated attributes will be foundational (much as it is today) for security.

There are certainly other concerns, but these are just a few. There is no value any longer in obsessing about what IoT is an isn't, whether this is an example or that is an example of IoT. It's not about the device, the network or even the software. It's about the outcomes the business is trying to achieve. Stay focused on that and you can be more successful in securing IoT for your organisation.