sb-au logo
Story image

Existing security best-practice can handle IoT exposures? Not really

12 Apr 2016

Article by Earl Perkins, Gartner research VP

A recent news article from both a well respected news source and vendor outlined their assurance that IoT security exposures could be taken care of with existing IT-centric security practices as long as they were implemented in a highly effective manner. I regret to say I must disagree.

IoT security is a function of two primary dimensions. The software, data-centric dimension is an IT view of IoT, where traditional IT building blocks such as networks, platforms, applications and data can be protected via best-practice security in access, data protection, vulnerability management and so on. The physical dimension is an engineering view of IoT, where devices, machines, systems and so on built to automate processes that ultimately make physical changes within themselves or their environment.

This is where the software world of IoT interacts and integrates with the physical world and shares software’s ‘digital flexibility’ to make those processes more efficient or to expand the physical capabilities of such systems.

Securing IoT means securing devices and the underlying digital and physical dimensions in which they work. Yes, you can provide best-practice IT security for those data-centric functions of the IoT software, when what you’re primarily interested in is the flow of data from IoT devices into an IT-dominated world of analytical engines, data repositories and decision support systems.

Some of that IT security also works in the engineering world as well, that part of engineering that has embraced and adapted IT infrastructure and services for engineering purposes, such as SCADA management systems. However, once you begin to secure data that is flowing to devices from those analytic and support tools for the express purpose of having engineered systems change pressure, raise temperature, adjust regulators and other physical activities, some of the best-practice IT security tools won’t work, or won’t work as they are.

You will require different approaches or distinctly modified approaches to incident detection and response, to access, to even the discovery and provisioning of devices and their supporting infrastructure. The industrial automation and control (or as we refer to it, the operational technology [OT]) environment is an example of where traditional best-practice security must be modified and extended to be effective.

In fairness to the writers, I would guesstimate that up to 80% of our IT-centric security practices will work just fine and continue to provide effective protection in an IoT world, because the vast amount of valued assets from IoT will reside within the areas I refer to as “north of the gateway”, where IoT data transitions from a potentially unique environment to a traditional IT environment, with cloud services, servers and IP-based networks.

Value that lies “south of the gateway” will constitute 20% of security practices that will require a significantly modified form of IT security or even new security tools. Think of these as being varied in three significant ways: scale, diversity and function. If the scale of the IoT indeed reaches 10s of millions of devices for some projects, we’ll need security tools that can handle that scale. With IoT comes new players, new platforms, new software types, even new protocols.

The diversity of that environment may require some unique security features that will initially be customised. Many IoT devices will be fit-for-purpose functional units that bear more resemblance to a piece of machinery than a processor, so depending upon what its function is, it may require a unique approach to access, data protection or any of the other security mechanisms we use.

Don’t stop working on your best practices for IT security– you’ll need them. But at the same time, don’t fall into the trap of thinking when you have a hammer, everything looks like a nail. Note that IoT represents a technological and cultural convergence of engineering and software on a digitally pervasive scale. You’ll need to reconsider some of those practices to make IoT truly secure.

Article by Earl Perkins, Gartner research VP

Story image
Current security practices 'grossly inadequate' for protecting cloud infrastructures - report
"As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what's needed is a holistic approach with consistent protection across the full cloud stack."More
Story image
ExtraHop brings SaaS network detection and response solution to market
"Reveal(x) 360 is the culmination of a multi-year R&D investment to secure data centre, remote sites, and cloud workloads with frictionless deployment and actionable insights that can be securely accessed from anywhere.”More
Story image
Shadow of ransomware looms over healthcare sector
“Hackers will continue to target vulnerable systems as long as there are profits to be made: from selling the stolen patient’s data to holding the healthcare systems hostage until the criminals’ demands are met.”More
Link image
Protect yourself from the perfect storm of cyber threats
COVID-19 has created an opportunity like no other for cyber attackers. With anxieties high and workforces at home, risk profiles are rising everywhere. Here's how one business can help protect yours. More
Story image
Kaspersky launches security assessment training program
Kaspersky says the program is designed give organisations the tools to ensure the security and of third-party applications that are integrated into their IT infrastructures.More
Story image
ESET included in Forrester Enterprise EDR report
The report provides an overview of the technology players in the EDR market and offers insights into understanding their capabilities. More