Addressing security for the Internet of Things: Step 1

Posted on 18 Jan 2013 by Tim Brown

The Internet of Things is a global technological opportunity of unprecedented proportions. The interconnectedness of devices, networks and people will facilitate the delivery of transformative products and services, as well as greater cost savings, productivity, and safety. This increased connectivity, however, also exposes new security threats.

The complexity of this environment and the compute and power limitations of many IoT devices complicate security at the device, application and network levels. For instance, traditional device types, including equipment found in manufacturing facilities, were not designed with an eye toward the future of Internet networking. Security implications were fewer when data were only intended to travel on a closed operations network.

Resource constraints and complex deployments that include both existing and new systems are the factors that will distinguish the IoT from traditional IT. Fortunately, even in the radical new world of the IoT, many of the same practices, technologies, and skills that have been developed in the past few decades remain relevant to the IoT with most of the new risks dispersed at the edge. In fact, as risks grow with the complexity of IoT solutions, IT security must also evolve, as well.

To support this shift, Harbor Research has outlined a three-step process to help organizations think about how to implement security technology in IoT solutions, including conducting an impact assessment, considering five primary security functions, and defining lifecycle controls (click here to view infographic). Leadership and integration teams should be careful not to limit themselves to any narrow line of questioning or way of thinking as they move through these phases, but be open to a new mindset that will help them creatively apply security measures in innovative ways.

In this article we will focus on step 1 and will cover steps 2 and 3 in subsequent articles.

Step 1: Address Security Impact in Diverse Environments

Understanding the impact of security in various potential IoT environments is an obvious first step in the solution design process. Given the diversity of both devices and the environments in which they will be deployed, each deployment is unique. Security solutions must be tailored to different usage environments and applications—whether they vary by size, industry, risk profile, or available product and service portfolio.

It is important to note that proper IT security is the implied baseline of any IoT solution deployment. Before bringing on new connected solutions, organizations should audit their environment to ensure they have implemented and are compliant with strong IT governance and best practices. Organizations should consider the following practices:

Plan for environmental context

By establishing an understanding of the potential customer’s environment, whether physical, regulatory, or end-user related, solution providers can make design and development decisions based on the specific needs of that industry or customer. For example, in developing connected HVAC systems for industrial buildings, a business may need to consider what types of data will need to be delivered to regulators, if any, or how easy it should be to adjust the building temperature and what access management controls may be required.

To assess the environment, know the questions to ask

Organizations should ask questions about what kinds of data will be created and transported, how private or sensitive the data are, to whom they will be delivered, the duration of storage, what outside linkages or integrations will occur, and what existing protocols or compliance requirements already exist in the respective verticals and industries (Exhibit 4). The entire risk landscape should be considered, including the physical environment, thirdparty suppliers and vendors, the legal and regulatory environment, and existing applications and infrastructure.

Provide clear communications about privacy and security risks

In addition to educating customers on the benefits of device connectivity in a given environment, organizations must also provide clear ‘opt-in/ opt-out’ capabilities so that customers are fully aware and supportive of data flow and understand the security and privacy implications. Customers will need to understand the value they receive in terms of higher quality service and lower cost of ownership. Finally, providers should clearly communicate the importance of internal communication within the customer’s entire organization: employees at all levels should receive ongoing education and governance training in security best practices in order to appreciate the importance of security structures.

Want to know more? We will soon be publishing steps 2 and 3. Check back soon.