by Earl Perkins | April 8, 2016 | Comments Off on Existing Security Best-Practice Can Handle IoT Exposures?? Not Really
A recent news article from both a well respected news source and vendor outlined their assurance that IoT security exposures could be taken care of with existing IT-centric security practices as long as they were implemented in a highly effective manner. I regret to say I must disagree.
IoT security is a function of two primary dimensions. The software, data-centric dimension is an IT view of IoT, where traditional IT building blocks such as networks, platforms, applications and data can be protected via best-practice security in access, data protection, vulnerability management and so on. The physical dimension is an engineering view of IoT, where devices, machines, systems and so on built to automate processes that ultimately make physical changes within themselves or their environment. This is where the software world of IoT interacts and integrates with the physical world and shares software’s ‘digital flexibility’ to make those processes more efficient or to expand the physical capabilities of such systems.
Securing IoT means securing devices and the underlying digital and physical dimensions in which they work. Yes, you can provide best-practice IT security for those data-centric functions of the IoT software, when what you’re primarily interested in is the flow of data from IoT devices into an IT-dominated world of analytical engines, data repositories and decision support systems. Some of that IT security also works in the engineering world as well, that part of engineering that has embraced and adapted IT infrastructure and services for engineering purposes, such as SCADA management systems. However, once you begin to secure data that is flowing to devices from those analytic and support tools for the express purpose of having engineered systems change pressure, raise temperature, adjust regulators and other physical activities, some of the best-practice IT security tools won’t work, or won’t work as they are. You will require different approaches or distinctly modified approaches to incident detection and response, to access, to even the discovery and provisioning of devices and their supporting infrastructure. The industrial automation and control (or as we refer to it, the operational technology [OT]) environment is an example of where traditional best-practice security must be modified and extended to be effective.
In fairness to the writers, I would guesstimate that up to 80% of our IT-centric security practices will work just fine and continue to provide effective protection in an IoT world, because the vast amount of valued assets from IoT will reside within the areas I refer to as “north of the gateway”, where IoT data transitions from a potentially unique environment to a traditional IT environment, with cloud services, servers and IP-based networks. Value that lies “south of the gateway” will constitute 20% of security practices that will require a significantly modified form of IT security or even new security tools. Think of these as being varied in three significant ways: scale, diversity and function. If the scale of the IoT indeed reaches 10s of millions of devices for some projects, we’ll need security tools that can handle that scale. With IoT comes new players, new platforms, new software types, even new protocols. The diversity of that environment may require some unique security features that will initially be customized. Many IoT devices will be fit-for-purpose functional units that bear more resemblance to a piece of machinery than a processor, so depending upon what its function is, it may require a unique approach to access, data protection or any of the other security mechanisms we use.
Don’t stop working on your best practices for IT security– you’ll need them. But at the same time, don’t fall into the trap of thinking when you have a hammer, everything looks like a nail. Note that IoT represents a technological and cultural convergence of engineering and software on a digitally pervasive scale. You’ll need to reconsider some of those practices to make IoT truly secure.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.