Gartner Blog Network


What HAVEN’T We Said About IoT Security So Far?

by Earl Perkins  |  August 10, 2015  |  4 Comments

If you research Internet of Things (IoT) security daily like many in the analyst industry are doing, you keep reading articles that can be characterized as “admiring the problem”. This is serious. This is bad. Something needs to be done. We see in media reports such as the Chrysler hack early signs that something could indeed be bad and something indeed should be done. OK, enough already with admiring the problem. What CAN be done about securing the Internet of Things?

1- First, recognize that most of IoT security is IT security or OT (operational technology) security. Not all of it, but most of it. So before too much panic sets in, know that many of the practices, technologies and skills that have been developed over decades are still applicable to securing the IoT. In some business scenarios the scale and diversity of elements in the solution may be different from traditional IT and in yet other scenarios you may be dealing with a different environment (such as a real-time event-drive one), but the security functions required (and the controls to be applied) are much the same. It isn’t necessary to make ALL new things to secure it.
2- Recognize that there ARE some new things you will need for securing the IoT– and what you need depends upon the business scenario in which you are using IoT devices and functions. Think of a business process from end-to-end, or what I refer to as from core to edge (and back). In most scenarios, there will be three basic architectural areas. At the core will be the traditional elements of IT security for applications, data, platforms, networks, and even endpoints. At the “intermediary” point, or in the middle where gateways and boundaries between traditional IT networks and IoT networks reside will be a mixture of IT security capabilities and new IoT security capabilities for areas very similar to IT: applications, data, networks, platforms and endpoints. At the intermediary level you will find some new technology that may serve as an “IoT-to-IT” converter for security functions. This may be within next generation firewalls, specialized devices or gateways designed for the industry or edge devices used. Finally, there is the edge layer where you find most of the devices identified with the IoT, from sensors to actuators to combinations of those items plus a platform to run some functions in software. It depends once more on what the business scenario is you’re implementing, whether you’re monitoring environments in office buildings or handling driverless vehicles in mining pits. What is common among all of them from a security perspective is that you must use principles of risk and feasibility to determine where you will or should apply security controls in what may be a complex implementation. Again, it depends.
3- Plan on more than one player to deliver an IoT security solution for the business scenario. You may actually use several providers for the delivery of effective security, ranging from cloud security access brokers to secure segmentation services, from encryption to scalable key management. Your IoT network may ‘talk’ directly to a cloud service, so you may be working with several solutions and/or providers in the intermediary level of your architecture to assure that the communications is secure and the data integrity from IoT data is intact. Remember: some of the business scenarios may involve levels of industrial or commercial engineering in their business scenarios, so you cannot think entirely like an IT security person, but as an IT/OT engineering person. Don’t fall into the trap of believing that the only way we can deliver solutions for a business scenario is to do it using IT formats and protocols– just because you have a hammer everything is NOT a nail. There will be some compromises about how ‘low-intelligence’ IoT devices work. Follow the intelligence within an edge-to-core business scenario. It will provide insight from a risk and feasibility perspective where you can reliably deploy the kind of security controls that are necessary.
4- Be prepared to customize a solution for a security product or service that does not yet exist. This means that if your risk assessment leads you to believe that there are critical points at the edge level or intermediary level that need to have security controls applied and you cannot find a vendor or service provider to deliver the ability to deploy, monitor and/or enforce those controls, you may need to get creative. When you reach that point, ensure that you research the markets well enough to know the difference between a developer/integrator that can create secure environments vs. one that knows how to code but can’t secure code, data or infrastructure if their lives depended on it. It will involve doing your homework well and consulting several sources before you make a final decision.

Securing the Internet of Things IS possible, but during this first generation of IoT security you must expect to have missteps and learning moments. We believe that this market will assume better definition and have clearer distinctions from IT and OT security within the next two years, but in the meantime expect IoT security to look much like IT security plus some unusual or unique additions. Keep in mind the simple architectural levels I outlined above and make decisions about risk and feasibility based upon not only the available of solutions for those levels but the seams between them. As IT security practitioners, be prepared to meet and work closely with your engineering counterparts in industry that have dealt with OT systems, systems that look very much like the technology in IoT scenarios being deployed today. This will become more frequent as time goes on. Don’t despair– it is getting better daily and there ARE ways to secure your IoT-infused business scenarios.

It’s time to stop admiring the problem and get to work.

Category: cybersecurity  industrial-automation-and-control-systems  industrial-control-systems  internet-of-things  ot-security  security  

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio


Thoughts on What HAVEN’T We Said About IoT Security So Far?


  1. dave says:

    very interesting article.
    In relation to this are you aware of a small
    British company called cryptosoft ?
    They believe they have a major solution to
    security problems.

  2. Earl Perkins says:

    Yes, we at Gartner have spoken with Cryptosoft. They and a number of other providers have some solutions to some of the concerns for IoT security. Of course, there is no one single provider with a definitive answer for IoT security at this stage, and there is unlikely to be.

  3. Ragnar Schierholz says:

    Interesting view. I really like the expression “admire the problem” – spot on.

    However, I would reverse your mapping of core to edge. I would see the instruments (sensors and actuators) at the field level of an automation system at the core. Then – layer after layer – higher level functionality (automation and security) is added. The systems at the higher level, further towards the edge, provide a bigger picture. Eventually, we find the business process. And already today, we find business processes of cooperating enterprises begin connected across the enterprise boundary (a boundary is conceptually very similar to an edge, isn’t it?). On the other side of that boundary, a similar stack exists, down to the core of that enterprise. And in the IoT future, that connectivity will be able to reach further into the core of the participating enterprises and thus the cooperation can become automated and coordinated at a much more granular level – at the core.

  4. Earl Perkins says:

    Your view is valid– it simply highlights my point of context (i.e. “when you have a hammer everything looks like a nail”). Depending upon where the expertise you possess is and the view you have about your automation or technology support, it can be considered as core or edge. They are only words. The point I was attempting to make is that we are moving (with the Internet of Things) from a monolithic view of general purpose systems that can run many types of applications and possess plenty of processing, memory and storage to a more distributed view where such functions can be aggregated as needed in quantities that are ‘fit for purpose’– your device has just enough processing, or just enough memory, etc. to perform its specific functions– and no more. These specialty devices change the complexion of security requirements. I used the term ‘core’ to be equivalent to ‘monolithic’ and to reflect not being directly involved with state changes in the physical world, as devices at the ‘edge’ may be. While a data center system may be indirectly involved with redirecting power or increasing pressure in water pumps, the devices that are directly attached to those systems make the final journey from a digital (or even analog) signal to physical action. That is how I intended the concept of ‘edge’ to be considered.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.