Internet of Things (IoT) is the term du jour. As adoption increases the natural question becomes, how has it been secured? To understand an effective security strategy for IoT, we first need to understand where the value from IoT is generated.
The ability to use data, collected from a variety of locations and sources, to drive decision making is a key asset of the IoT and one that will help organizations to reap the financial benefits it promises.
Whether pulling information from sensors on an oil rig in the middle of the ocean or accessing extremely time sensitive data created by machines on manufacturing floors, it’s the ability to respond strategically, supported by data-driven decisions in the moment that create real value.
When we see opportunity for value creation, we know two behaviors are destined to follow.
First, businesses will attempt to capture that value through individuals innovating, solving problems for customers and otherwise improving profitability and or capabilities.
Secondly, so will criminals. If you want to see how aggressive criminals chase value, look at some of our reporting on the targeted bitcoin phishing campaigns. What is clear is that cybersecurity is set to be the issue that slows businesses down in capturing the value made possible by IoT.
“An IoT system will only be as secure as the most insecure component in the system.”
This statement is made repeatedly by security purists and is focused on the wrong goal. The goal is not to be secure.
The goal is to be resilient. It is true that a critical vulnerability in a solution can certainly change the security posture of the organization using it.
However, by understanding that a single insecurity in a component of a system is possible – and maybe likely depending on the device – it can be addressed by understanding the system wide security posture and how vulnerability is handled.
Which systems are built with fundamental security (i.e. secure development lifecycles, secure boot, image signing, and runtime protections) and which are not? Which are actively managed and quickly patched, and which are not?
What threats will the system face throughout its lifecycle? What environmental threats will it face?
For example, a connected home will face different threats than a nuclear power plant. All of these factors contribute to a strategy for both IoT resilience and resilience in the value created by IoT.
Since the IoT is so data driven, how that data is protected and its associated privacy also plays a critical part of the discussion.
It’s important that products and solutions are designed in a way that properly handles data security and privacy throughout the whole solution – from source (sensors) to processors to consumers of that data (a machine or person).
Security and privacy should not be bolted on as an afterthought in IoT, but built-in from the beginning.
Intuitively, the mantra becomes: “security for IoT isn’t just about the thing. Security of IoT is about the whole system.”