If you research Internet of Things (IoT) security daily like many in the analyst industry are doing, you keep reading articles that can be characterized as “admiring the problem”. This is serious. This is bad. Something needs to be done. We see in media reports such as the Chrysler hack early signs that something could indeed be bad and something indeed should be done. OK, enough already with admiring the problem. What CAN be done about securing the Internet of Things?
1- First, recognize that most of IoT security is IT security or OT (operational technology) security. Not all of it, but most of it. So before too much panic sets in, know that many of the practices, technologies and skills that have been developed over decades are still applicable to securing the IoT. In some business scenarios the scale and diversity of elements in the solution may be different from traditional IT and in yet other scenarios you may be dealing with a different environment (such as a real-time event-drive one), but the security functions required (and the controls to be applied) are much the same. It isn’t necessary to make ALL new things to secure it.
2- Recognize that there ARE some new things you will need for securing the IoT– and what you need depends upon the business scenario in which you are using IoT devices and functions. Think of a business process from end-to-end, or what I refer to as from core to edge (and back). In most scenarios, there will be three basic architectural areas. At the core will be the traditional elements of IT security for applications, data, platforms, networks, and even endpoints. At the “intermediary” point, or in the middle where gateways and boundaries between traditional IT networks and IoT networks reside will be a mixture of IT security capabilities and new IoT security capabilities for areas very similar to IT: applications, data, networks, platforms and endpoints. At the intermediary level you will find some new technology that may serve as an “IoT-to-IT” converter for security functions. This may be within next generation firewalls, specialized devices or gateways designed for the industry or edge devices used. Finally, there is the edge layer where you find most of the devices identified with the IoT, from sensors to actuators to combinations of those items plus a platform to run some functions in software. It depends once more on what the business scenario is you’re implementing, whether you’re monitoring environments in office buildings or handling driverless vehicles in mining pits. What is common among all of them from a security perspective is that you must use principles of risk and feasibility to determine where you will or should apply security controls in what may be a complex implementation. Again, it depends.
3- Plan on more than one player to deliver an IoT security solution for the business scenario. You may actually use several providers for the delivery of effective security, ranging from cloud security access brokers to secure segmentation services, from encryption to scalable key management. Your IoT network may ‘talk’ directly to a cloud service, so you may be working with several solutions and/or providers in the intermediary level of your architecture to assure that the communications is secure and the data integrity from IoT data is intact. Remember: some of the business scenarios may involve levels of industrial or commercial engineering in their business scenarios, so you cannot think entirely like an IT security person, but as an IT/OT engineering person. Don’t fall into the trap of believing that the only way we can deliver solutions for a business scenario is to do it using IT formats and protocols– just because you have a hammer everything is NOT a nail. There will be some compromises about how ‘low-intelligence’ IoT devices work. Follow the intelligence within an edge-to-core business scenario. It will provide insight from a risk and feasibility perspective where you can reliably deploy the kind of security controls that are necessary.
4- Be prepared to customize a solution for a security product or service that does not yet exist. This means that if your risk assessment leads you to believe that there are critical points at the edge level or intermediary level that need to have security controls applied and you cannot find a vendor or service provider to deliver the ability to deploy, monitor and/or enforce those controls, you may need to get creative. When you reach that point, ensure that you research the markets well enough to know the difference between a developer/integrator that can create secure environments vs. one that knows how to code but can’t secure code, data or infrastructure if their lives depended on it. It will involve doing your homework well and consulting several sources before you make a final decision.
Securing the Internet of Things IS possible, but during this first generation of IoT security you must expect to have missteps and learning moments. We believe that this market will assume better definition and have clearer distinctions from IT and OT security within the next two years, but in the meantime expect IoT security to look much like IT security plus some unusual or unique additions. Keep in mind the simple architectural levels I outlined above and make decisions about risk and feasibility based upon not only the available of solutions for those levels but the seams between them. As IT security practitioners, be prepared to meet and work closely with your engineering counterparts in industry that have dealt with OT systems, systems that look very much like the technology in IoT scenarios being deployed today. This will become more frequent as time goes on. Don’t despair– it is getting better daily and there ARE ways to secure your IoT-infused business scenarios.
It’s time to stop admiring the problem and get to work.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.