With a perfect storm of failure waiting, it cannot be either or when it comes to the Internet of Things
30 June 2017 |
GDPR, artificial intelligence, customer experience, and the list could go on, but depending on where you are as an organisation, one of the items on that list is undoubtedly the Internet of Things.
Figures from Tata Consultancy Services suggest that 80% of companies increased revenues as a result of IoT implementation, while Gartner has asserted that there may be up to €130 billion in new monetisation avenues due to IoT-related services in the coming years.
“Insecure products, poor network organisation, a lack of skills, a lack of vision and an overwhelming urge to act—one could hardly plan a better mix of ingredients to bake into a layered fail cake”
With such pressure to do something, many companies are floundering about, unsure what to do but scared to do nothing.
A recent survey from Cisco confirms the lack of vision and understanding.
The survey found that more than half of IoT projects in enterprise fail, and it is not because of the technology. The key reasons for failure were given as projects taking too long, limited expertise to implement, poor data quality, lack of integration across teams and budget overruns.
Despite this, when companies get it right, the benefits are obvious. Certain sectors such as aviation, agriculture, manufacturing and more, have demonstrated the benefits to be had, but reservations remain, not least of which are around security.
Another survey by the Ponemon Institute found that more than three quarters of enterprise IT decision-makers thought that it was at least somewhat likely that their organisations would experience data loss or theft enabled by IoT devices within the next two years.
These fears are not without foundation.
If we take a look at the now infamous Target breach, the method of ingress was via stolen credentials for the heating and air conditioning service provider.
A badly segmented network then allowed the attackers to roam networks with permissions that were designed to allow the service provider to monitor heating and cooling in stores to manage efficiency. Point of Sale (PoS) devices were then compromised with malware and the rest is history.
Furthermore, the Mirai botnet of IoT device, as such as IP cameras, showed that the old song remains pertinent: everything counts in large amounts. Tens of thousands of compromised devices were able to wreak havoc by their sheer number and distribution.
The situation overall, is a recipe for disaster.
Insecure products, poor network organisation, a lack of skills, a lack of vision and an overwhelming urge to act—one could hardly plan a better mix of ingredients to bake into a layered fail cake.
But what is to be done? Well, there are a number of different approaches. Cisco has decided that the network needs to be protected, not the devices. The devices must be presumed to be inherently insecure. The networking giant has brought together a number of services and capabilities that mitigate the fact that insecure devices will be talking to some aspect of the network.
Cisco has hit upon a network segmentation specifically to suit IoT implementations, coupled with network traffic monitoring for unusual activity, backed up by device visibility and monitoring tools.
This set of offerings leverages core strengths of Cisco and its networking heritage, but if one does not have an extensive Cisco estate, it may be a costly route.
Alternatively, as can be seen in the News section, Microsoft offers a IoT Central which has as a core feature a set of templates and guides to implement IoT, which has baked in many of the measures and lessons suggested, but does not necessarily rely on network layer capabilities for security.
All this might sound familiar, if you are of a certain age, or older. This sounds a lot like the old mobility debate and how to remain secure when potentially insecure devices om on the network. As such, the core issues have been dealt with a number of times.
It seems a bit binary to say IoT devices are insecure and therefore must all be treated as a potential threat.
While having network-layer intelligence to segment, monitor and analyse, it also seems an oversight to rely solely on the network for security.
As with the mobility model, a certain basic level of security of any device that connects to a corporate network is a good idea. It does not necessarily need to be a hardened device, but at the same time, whether it is a light bulb, a smart sensor, IP camera or smart connected device (SCD), a base level of security should be expected, otherwise, why on earth would you connect it to your network.
At the same time, the world is gradually coming round to the idea that breaches will happen, and so network segmentation, access by need only and strict privilege controls are necessary, but only as part of an overall security strategy.
All security needs to be layered, with no one element being relied upon exclusively.
Every disaster, whether it be a plane crash or a major security breach, is always a list of small failings that on their own, on any given day, would never matter. But it is when they come together, with a force greater than the sum of their parts, that they can add up to disaster.
Cisco is spot on in preparing the network for the kinds of risks that IoT represents. Microsoft is on the money with guide and template driven avenues into IoT, where time pressures, platform availability and skills may be lacking. However, it is also time to have device manufacturers step up to the plate and implement basic levels of security for IoT devices that mean they cannot easily be compromised.
As the mobility model has shown, by taking reasonable steps at every level, from user to application to device and network, security can be maintained. An IoT device that passes a posture and configuration check should be able to join a network, but only with appropriate access and privilege levels.
Reasonably secure devices connecting to an appropriately prepared network that has been designed with the combined wisdom of many implementers should allow most organisations to take advantage of the benefits of IoT without exposing themselves to undue risk from breach or network hijacking or denial.
Don’t fear the IoT, but don’t let it run unchecked either.