A Thing or Two About IoT Security

The continued progression toward the Internet of Things (IoT) is undeniable. After all, fully automated production facilities are now a reality, and we’re even seeing real-world applications such as connected automobiles that can automatically apply the brakes because sensors receive information about an accident around the next curve.

With today’s cacophony of technology, the days of building a moat around the castle are over. Depending on which numbers you believe, IoT will usher in as many as 50 billion connected devices in the next five years—which could prove conservative. That represents significantly more devices than there are humans. The question is: How do we fit security around all this technology in a meaningful way despite the challenges? Just consider this short list:

• Even though these are mostly machine-to-machine communications, such an increase in connections sends an organization’s attack profile through the roof.
• There are also brand-new threats. For instance, who really thought industrial control systems would ever connect to the back-office network? Yet bridges exist between once-disparate networks.
• Most CISOs are already drowning in log data, so going from 5,000 to 250,000 endpoints in a day is overwhelming. All of a sudden, analytics are extremely important.

Despite the massive numbers, the steps to IoT security are actually quite simple. Since resources are limited, organizations need to focus on where they are most likely to begin their IoT journey. This often means being at the table when IoT project discussions get started – to help solidify the organization’s definition of IoT and help determine which projects take priority. What’s more, being an active participant in the IoT discussions enables IT to plug into the innovators. Fortunately, most people are open to having those security conversations, because attacks are so widespread and publicized. There is no turning a blind eye to the problem.

Of course, using business needs as a guideline, CISOs should narrowly define the parameters of interactions. Acceptable activities and behaviors associated with many of the systems should be limited. For instance, why would an automated corn combine need to download anything from Pandora?

The best way to create these definitions is to open communications with the operators and engineers. In doing so, we have an opportunity to get communication and analytics right from the start and can avoid mistakes that potentially lead to catastrophic vulnerability—an extreme example might be not setting definitions on a connected nuclear reactor.

Properly handled, securing IoT could help transition cybersecurity from its traditional role of gatekeeper to being an enabler. IoT is already driving speed to market in manufacturing, mining and utilities. Aptly secured, IoT can enable the organization to try new things, including chasing new revenue opportunities.