Blog post

Getting Past the Word Games to Secure the Internet of Things

By Earl Perkins | March 05, 2014 | 4 Comments

SecurityOperational TechnologyInternet of ThingsOT Security

One of the things that I enjoy about working at Gartner is the ability to participate with clients and providers in industry, government, commercial, consumer and other sources in more precisely defining key terms and phrases resonating in the markets. In some cases, terms may come from sources outside of markets, but most of the time terms that later go on to be ‘famous’ get their start in marketing, for better or worse. Take for example the Internet of Things, or IoT. There is debate on its origin, but I have seen references to the term or ones similar to it dating from the 1990s, and ironically not from marketing. IoT is ok as a term, but it is awkward to continue to refer to “things” in your writing, so what will likely occur is a move to “objects”, “entities”, “identities” or “elements” when seeking precision in writing about what the “thing” really is in the IoT. From a security perspective (which is what I will endeavor to focus on), I’m more likely to write about securing the Internet of Things, but then refer to securing “objects” henceforth rather than “things”. This seems trivial, but adopting some basic rules in the way we express the terms I believe is important to ultimately understanding this industry movement.

The next issue then arises as to the actual definition of the IoT. At present, it is an embracing term that Gartner defines as “the network of physical objects that contains embedded technology to communicate and sense or interact with the objects’ internal state or the external environment.” The key words in this definition are network, physical, embedded, communicate, sense, and state. Strictly speaking, The IoT doesn’t have to be the global Internet, but it can be an internet or private network. The objects in the IoT may also be passive in that they are simply tags, and what they communicate is an identity, like a bar code or RFID tag, for example. Even with this definition, the potential for defining objects that we interact with every day is profound, and I believe that’s one reason why many feel intuitively that this is something big, something disruptive, an inflection point in the way we view computing and networking. From a security perspective, a draft definition for IoT security can be “governance, practices, technologies and services used to secure the networks and objects that make up the Internet of Things.” An object itself can be a collection of other objects or individual elements, to make matters more complex, so securing the object means potentially securing the software, firmware and hardware of each as a single unit. You can see how interesting securing the IoT can become.

The concept of the IoT isn’t new at all. If you ask many engineers and technicians in industrial enterprises today, they will tell you that they have been dealing with devices and embedded technologies as defined here for decades. They can tell you about sensors that detect heat, pressure, temperature and other state changes, sensors that have been embedded in physical equipment that signal back their results over a network so that another device or system with processing capacity can analyze and make yet other changes in state (“lower the temperature”, “reduce the pressure”) for the environment where the sensors reside. RFID tags have been identifying millions of manufacturing components for years to systems that track them. The objects of the IoT have been available for some time. But the recent advances in some of the technology platforms and software have begun to move much of the ‘industrial’ IoT technologies into the mainstream, into commercial and even consumer spaces. The sheer level of innovation in combining the objects of the IoT into value delivery scenarios is mounting. Creative entrepreneurs are providing industry, business and the consumer with scenarios almost daily, some that will be destined to disrupt existing markets forever.

This leads me back to the security question– where does that leave those accountable for security and risk within their enterprise when it comes to understanding, embracing and managing this new world? The question is valid, but unless your enterprise is actually engaged in manufacturing objects of the IoT or delivering services for the IoT, the impact of the IoT in the short term is likely to look more like your current concerns around BYOD (where ‘device’ takes on a new meaning) and mobile security needs. Think about it– most smartphones today have several sensors within, each contributing to the human experience with the phone. In essence, you’re hold an object of the IoT in your hand today.

Another area, however, where securing IoT takes on present-day urgency is in operational technology, or OT. That’s another term whose definition I will explore in a later blog, but for now, consider the industry terms associated with OT, such as industrial control, industrial automation, process control. OT was part of the IoT before it was cool to be, and objects of the IoT exist everywhere in oil and gas, utility, manufacturing, transportation, health care– practically any industry where there are industrial-grade concerns not handled by general-purpose computer systems and networks. The industrial IoT itself is undergoing updating and upgrading, so many of the same technologies you will find in commercial and consumer markets for the IoT– sensors, embedded systems, machine-to-machine (M2M) communications, RFID tags– they already exist in OT. A strategy for securing infrastructures that use such systems to create changes of state is now one of the top concerns facing security and risk planners in enterprises today. What changes will traditional IT security undergo to embrace OT security? That too will be one of our next topics.

Comments are closed


  • says:

    Thank you for some other informative website.
    The place else may just I am getting that kind of information written in such a perfect means?
    I have a project that I am just now running on,
    and I’ve been on the glance out for such info.

  • Nice piece, thanks Earl. Looking forward to the follow ons. It’s been interesting working at the intersection of security, mobility and the IoT.
    A lot of folks working in the embedded space still put a lot of faith in “air gaps” – this idea that their networks of IOT/OT devices are separated from the rest of the Internet; therefore, they don’t need to bother with encryption or authentication. But as we’ve seen over and over again, networks that admins thought were physically isolated rarely are, and usually contain lots of “dark connections” to the outside world. Target was a great example, where credentials used to control an HVAC system were used to access POS records.

    -Kurt Stammberger, CISSP

  • Earl Perkins says:

    I agree, Kurt. The air gap remains a design feature in both networks and systems, but it is increasingly under assault by what amounts to either bad design or bad practices in security– or both. It also points out the ‘kinetic’ or physical aspect to security that has to be considered along with logical security concerns. We’ll talk about this in future postings, but it is indeed your intersection to which you refer.

  • Glad to see you writing on the space. Looking forward to more insights on securing IoT. We see security and privacy as major derailment factors for IoT, along with standardization at the gateway. Fortunately the wave has started and even these factors won’t stop it for long. Keep the analysis coming.