On July 5, 2016 I gave a Gartner webinar entitled “Practical Steps to Manage Risk and Security in the Internet of Things” (This webinar can be viewed and listened to at http://www.gartner.com/webinar/3337817 if you are interested). At the end of the webinar, time is allotted to take questions from the listening audience. There always seem to be more questions than time allows us to answer. So I got the idea of using the blog posting to address those questions I could not answer after the session. I hope this may be useful to all readers, but certainly to those attending. So listed below you will find the question and my accompanying answer.
1- What will be the role of people in IoT security?
The role of people in IoT security will be much the same as their role today in IT, OT and physical security. For those charged with the formal responsibility of securing organizations that use IoT devices, it will mean providing the necessary prioritization of goals for IoT security. Where should we focus our funds for fundamental security practice? What are our goals? Should we expand our own role of ensuring confidentiality, integrity and ability of information to also include providing for the safety of people and environments as well as the reliability and availability of digital systems? (Hint: yes). As a consumer of services created by using IoT devices, demonstrating ethical uses of devices and their data, ensuring their protection from tampering or counterfeiting and accounting for the privacy of IoT data will be paramount. There is plenty for people to do;
2- Communication security plays an important role in IoT security. Do the present encryption techniques work well for IoT? Or should there be some other techniques to provide communication data security?
For me, the answers are “yes” and “yes”. There are IoT security scenarios where we see traditional forms of encryption working ably with IoT-centric projects. However, as the scale, diversity, function and data flow of these devices change and expand according to the mission, it may task current means of providing effective encryption management. The ages of different systems in industrial implementations already tax traditional means of assigning certificates for specific periods of time, and that will only become more evident as IoT programs mature. There are some interesting alternatives already being tested. One encryption size won’t fit all IoT scenarios any time soon;
3- For a traditional manufacturer that moves physical goods, what is your recommendation as the step one to act?
The first step is always to know what you are already using in the form of digital support for the movement of your goods. What support systems are in place? What are they based on (e.g. RFID tags?) What software is used to track them? What is the process itself, and where do the digital capabilities interact? This is your baseline. I would guess from the question itself that the items aren’t IoT devices, but will guess that you are contemplating the use of IoT devices in some capability to aid in making the supply chain effort more efficient or to change the process itself for new business opportunity. If that is the case, assessing the impact of such an introduction would be a logical next step. Along with that impact would be a security assessment of what the introduction of devices may do to the supply chain flow, both positive and negative. This can be determined through an analysis of the devices, the data flows generated by them or to them, and the platforms (including code) that will be used to support them. At that point we can begin to apply some security principles related to access, network segmentation, data protection, etc., but only once we have assessed the impact.
4- How are you handling security on non-secure devices, since 2-factor authentication is not happening on IoT devices?
This is a good question. When you have class 1 devices that may not even have the capacity to hold a credential, you must have some form of ‘compensating control’ to provide equivalent protection to the degree possible. The role of the IoT security gateway is to provide some of that compensating control by serving as a form of ‘proxy’ to the device. When there is a requirement to provide secure authentication between a class 1 IoT device and some application or service, the gateway would perform that authentication. The network between the gateway and the IoT device could be segmented or isolated as part of a high-security ‘trust zone’ as part of the compensation. All of this depends upon the level of risk you’re willing to accept and of course the cost of providing this type of control.
5- In order to create a foundation for IoT, we should work on a more confident security compliance and risk management practice in order to manage IoT security in a proper manner?
Yes, of course. Much of the webinar focused on what I would refer to as “below the line” concerns: deployment, configuration, management, operations, etc. However, you refer rightly so to “above the line” issues related to governance, strategy, organization and skill sets, policies, controls, among others. For IoT security to be successful, it must involve a top-down effort to establish the appropriate balance between risk and resilience. Interestingly enough, it will call upon “bottom-up” knowledge from the physical edge of business to do so– engineers and physical security planners in that governance effort, a distributed model that calls upon the crucial knowledge from business units and IoT program managers, even outside agents we may not have invited into the governance and risk practice before. It is a new style and type of compliance and risk, with new players.
There are more questions that were asked during the webinar. I will address those in my next blog.