Story image

It’s time to move on from “what is the Internet of Things” discussion if you want to secure it

13 Oct 16

Among Gartner clients we are now beginning to see IoT “definition fatigue” set in as the glitz and excitement surrounding the concept settles into the hard business light of day.

The “discovery” of what a pervasive digital presence does to an industrial, commercial or consumer environment is now clothed in thousands of different examples that leave some people scratching their heads and saying “is that what they call the Internet of Things, or is it something else?”. Let me answer that for you: forget about it.

Labeling something “IoT” for whatever reason isn’t as important as we’re making it out to be. What is important is that you have recognised something is happening that may not be within your current frame of experience and therefore may not entirely know how to secure it.

Besides, the IoT term never was useful in getting across its real value to business or personal outcomes, something a good definition does. This pervasive digital presence is there to deliver specific industrial and commercial business outcomes, or to deliver specific social or personal outcomes.

We engage in IoT because we want to “do something” new or better, whether it is to have unprecedented visibility into a process within a physical system that is equipped with a rich sensor network or to be able to remotely make fine-tuned changes to the operation of a machine or device that makes physical things really happen, like autonomous automobiles, power plants or home security systems. One great irony is that the IoT as a concept is not new at all– that was why I said “discovery” above with quotes.

Industrial automation and control engineers were shaking their head and laughing about all of the fuss when IoT broke into our business consciousness and discussions because they’ve done a form of IoT since the steam engine and telegraph. The engineering community as a whole is familiar with IoT concepts and have been for some time.

Commercial and consumer verticals are now using sensors and actuators in large quantities on wireless networks and believe they’ve discovered the Next New Thing when they’ve really just gone Back to the Future.

Gartner’s definition of an IoT device is “the network of dedicated physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment.

The IoT comprises an ecosystem that includes things, communications, applications and data analysis.” Note the word ecosystem. This is key to understanding why obsessing over the definition is not helpful, particularly as a security decision-maker. The ecosystem of IoT has elements that already exist in the form of IT, operational technology (OT) and cyber-physical systems.

This is one reason for some people’s confusion: when you think of IoT and focus on the “thing” or device, you miss the fact that all of the other elements of the ecosystem may be plain old IT, OT or cyber-physical systems.

But don’t be deceived– just because there are familiar elements to secure, it doesn’t always mean they are secured exactly as they were as standalone systems, especially when IoT devices are involved. To give them their due, devices do introduce some wild cards into the security poker deck.

To understand IoT and the role it plays in security, you must focus on the business outcomes of the project or program you’re delivering. Think of these as the “outputs” or reasons why an industrial, business or personal process is performed.

You must truly understand the business reason for the IoT device’s presence. If there is an unusual device and network that helps deliver the outcome, if the data generated or the application written is different from what you are accustomed because of the role this device must play in delivering the outcome, you’ve now begun to understand the IoT ecosystem difference.

From a security perspective, these are examples of concerns the presence of IoT in an initiative raises that may be different from your previous experiences:

  • Type of device: This has been the focus to date for IoT. The nature of the device, its construction, its power needs and processing capacity, whether it can be a trusted execution environment, whether it can have a security agent or hold a key, whether it is tamper-proof– these are all issues to consider;
  • Type of device firmware/software: Assuming there is processing capacity, whether the software follows secure design principles, whether it undergoes testing and certification to some industry standard, its relationship to a gateway (appliance, platform or cloud) are all security issues to be addressed;
  • Type of network: Contrary to popular belief, not every IoT device in the world will use WiFi. They may not even use the Internet Protocol (IP), though most will. Understanding how the device uses the network(s) and for what purpose, what type of network architecture, the nature of segmentation and isolation of multiple networks of IoT elements (device network, gateway network, cloud network, etc.) are all security concerns;
  • Nature of data flow: type, volume, variety, velocity, variability of the data generated by the device and transmitted to the device in addition to the normal considerations of data-at-rest, data-in-motion. IoT data security considerations will often be very dynamic and include data types not normally seen by IT, but OT and cyber-physical — or vice versa;
  • Situational awareness of the elements as a whole: having discovery and visibility capabilities will be crucial, since many of these devices and networks may have different ways of communicating their presence and characteristics. Identifying a device and its associated attributes will be foundational (much as it is today) for security.

There are certainly other concerns, but these are just a few. There is no value any longer in obsessing about what IoT is an isn’t, whether this is an example or that is an example of IoT. It’s not about the device, the network or even the software. It’s about the outcomes the business is trying to achieve. Stay focused on that and you can be more successful in securing IoT for your organisation.

Article by Earl Perkins, Gartner Research VP.

WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
Why the adoption of SAP is growing among SMEs
Small and medium scale enterprises are emerging as lucrative end users for SAP.
Exclusive: How the separation of Amazon and AWS could affect the cloud market
"Amazon Web Services is one of the rare companies that can be a market leader but remain ruthlessly innovative and agile."
HPE extends cloud-based AI tool InfoSight to servers
HPE asserts it is a big deal as the system can drive down operating costs, plug disruptive performance gaps, and free up time to allow IT staff to innovate.
Digital Realty opens new AU data centre – and announces another one
On the day that Digital Realty cut the ribbon for its new Sydney data centre, it revealed that it will soon begin developing another one.
A roadmap to AI project success
Five keys preparation tasks, and eight implementation elements to keep in mind when developing and implementing an AI service.
The future of privacy: What comes after VPNs?
"75% of VPN users said they are seeking a better solution for cloud networks."
'Public cloud is not a panacea' - 91% of IT leaders want hybrid
Nutanix research suggests cloud interoperability and app mobility outrank cost and security for primary hybrid cloud benefits.