Among Gartner clients we are now beginning to see IoT “definition fatigue” set in as the glitz and excitement surrounding the concept settles into the hard business light of day.
The “discovery” of what a pervasive digital presence does to an industrial, commercial or consumer environment is now clothed in thousands of different examples that leave some people scratching their heads and saying “is that what they call the Internet of Things, or is it something else?”. Let me answer that for you: forget about it.
Labeling something “IoT” for whatever reason isn’t as important as we’re making it out to be. What is important is that you have recognised something is happening that may not be within your current frame of experience and therefore may not entirely know how to secure it.
Besides, the IoT term never was useful in getting across its real value to business or personal outcomes, something a good definition does. This pervasive digital presence is there to deliver specific industrial and commercial business outcomes, or to deliver specific social or personal outcomes.
We engage in IoT because we want to “do something” new or better, whether it is to have unprecedented visibility into a process within a physical system that is equipped with a rich sensor network or to be able to remotely make fine-tuned changes to the operation of a machine or device that makes physical things really happen, like autonomous automobiles, power plants or home security systems. One great irony is that the IoT as a concept is not new at all– that was why I said “discovery” above with quotes.
Industrial automation and control engineers were shaking their head and laughing about all of the fuss when IoT broke into our business consciousness and discussions because they’ve done a form of IoT since the steam engine and telegraph. The engineering community as a whole is familiar with IoT concepts and have been for some time.
Commercial and consumer verticals are now using sensors and actuators in large quantities on wireless networks and believe they’ve discovered the Next New Thing when they’ve really just gone Back to the Future.
Gartner’s definition of an IoT device is “the network of dedicated physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment.
The IoT comprises an ecosystem that includes things, communications, applications and data analysis.” Note the word ecosystem. This is key to understanding why obsessing over the definition is not helpful, particularly as a security decision-maker. The ecosystem of IoT has elements that already exist in the form of IT, operational technology (OT) and cyber-physical systems.
This is one reason for some people’s confusion: when you think of IoT and focus on the “thing” or device, you miss the fact that all of the other elements of the ecosystem may be plain old IT, OT or cyber-physical systems.
But don’t be deceived– just because there are familiar elements to secure, it doesn’t always mean they are secured exactly as they were as standalone systems, especially when IoT devices are involved. To give them their due, devices do introduce some wild cards into the security poker deck.
To understand IoT and the role it plays in security, you must focus on the business outcomes of the project or program you’re delivering. Think of these as the “outputs” or reasons why an industrial, business or personal process is performed.
You must truly understand the business reason for the IoT device’s presence. If there is an unusual device and network that helps deliver the outcome, if the data generated or the application written is different from what you are accustomed because of the role this device must play in delivering the outcome, you’ve now begun to understand the IoT ecosystem difference.
From a security perspective, these are examples of concerns the presence of IoT in an initiative raises that may be different from your previous experiences:
There are certainly other concerns, but these are just a few. There is no value any longer in obsessing about what IoT is an isn’t, whether this is an example or that is an example of IoT. It’s not about the device, the network or even the software. It’s about the outcomes the business is trying to achieve. Stay focused on that and you can be more successful in securing IoT for your organisation.
Article by Earl Perkins, Gartner Research VP.