Story image

Existing security best-practice can handle IoT exposures? Not really

12 Apr 16

Article by Earl Perkins, Gartner research VP

A recent news article from both a well respected news source and vendor outlined their assurance that IoT security exposures could be taken care of with existing IT-centric security practices as long as they were implemented in a highly effective manner. I regret to say I must disagree.

IoT security is a function of two primary dimensions. The software, data-centric dimension is an IT view of IoT, where traditional IT building blocks such as networks, platforms, applications and data can be protected via best-practice security in access, data protection, vulnerability management and so on. The physical dimension is an engineering view of IoT, where devices, machines, systems and so on built to automate processes that ultimately make physical changes within themselves or their environment.

This is where the software world of IoT interacts and integrates with the physical world and shares software’s ‘digital flexibility’ to make those processes more efficient or to expand the physical capabilities of such systems.

Securing IoT means securing devices and the underlying digital and physical dimensions in which they work. Yes, you can provide best-practice IT security for those data-centric functions of the IoT software, when what you’re primarily interested in is the flow of data from IoT devices into an IT-dominated world of analytical engines, data repositories and decision support systems.

Some of that IT security also works in the engineering world as well, that part of engineering that has embraced and adapted IT infrastructure and services for engineering purposes, such as SCADA management systems. However, once you begin to secure data that is flowing to devices from those analytic and support tools for the express purpose of having engineered systems change pressure, raise temperature, adjust regulators and other physical activities, some of the best-practice IT security tools won’t work, or won’t work as they are.

You will require different approaches or distinctly modified approaches to incident detection and response, to access, to even the discovery and provisioning of devices and their supporting infrastructure. The industrial automation and control (or as we refer to it, the operational technology [OT]) environment is an example of where traditional best-practice security must be modified and extended to be effective.

In fairness to the writers, I would guesstimate that up to 80% of our IT-centric security practices will work just fine and continue to provide effective protection in an IoT world, because the vast amount of valued assets from IoT will reside within the areas I refer to as “north of the gateway”, where IoT data transitions from a potentially unique environment to a traditional IT environment, with cloud services, servers and IP-based networks.

Value that lies “south of the gateway” will constitute 20% of security practices that will require a significantly modified form of IT security or even new security tools. Think of these as being varied in three significant ways: scale, diversity and function. If the scale of the IoT indeed reaches 10s of millions of devices for some projects, we’ll need security tools that can handle that scale. With IoT comes new players, new platforms, new software types, even new protocols.

The diversity of that environment may require some unique security features that will initially be customised. Many IoT devices will be fit-for-purpose functional units that bear more resemblance to a piece of machinery than a processor, so depending upon what its function is, it may require a unique approach to access, data protection or any of the other security mechanisms we use.

Don’t stop working on your best practices for IT security– you’ll need them. But at the same time, don’t fall into the trap of thinking when you have a hammer, everything looks like a nail. Note that IoT represents a technological and cultural convergence of engineering and software on a digitally pervasive scale. You’ll need to reconsider some of those practices to make IoT truly secure.

Article by Earl Perkins, Gartner research VP

Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.