It’s time to stop admiring the problem and get to work.
If you research Internet of Things (IoT) security daily like many in the analyst industry are doing, you keep reading articles that can be characterised as “admiring the problem”.
This is serious. This is bad. Something needs to be done. We see in media reports such as the Chrysler hack early signs that something could indeed be bad and something indeed should be done.
OK, enough already with admiring the problem. What CAN be done about securing the Internet of Things?
First, recognise that most of IoT security is IT security or OT (operational technology) security. Not all of it, but most of it.
So before too much panic sets in, know that many of the practices, technologies and skills that have been developed over decades are still applicable to securing the IoT.
In some business scenarios the scale and diversity of elements in the solution may be different from traditional IT and in yet other scenarios you may be dealing with a different environment (such as a real-time event-drive one), but the security functions required (and the controls to be applied) are much the same.
It isn’t necessary to make ALL new things to secure it.
Recognise that there ARE some new things you will need for securing the IoT - and what you need depends upon the business scenario in which you are using IoT devices and functions.
Think of a business process from end-to-end, or what I refer to as from core to edge (and back). In most scenarios, there will be three basic architectural areas.
At the core will be the traditional elements of IT security for applications, data, platforms, networks, and even endpoints.
At the “intermediary” point, or in the middle where gateways and boundaries between traditional IT networks and IoT networks reside will be a mixture of IT security capabilities and new IoT security capabilities for areas very similar to IT: applications, data, networks, platforms and endpoints.
At the intermediary level you will find some new technology that may serve as an “IoT-to-IT” converter for security functions. This may be within next generation firewalls, specialised devices or gateways designed for the industry or edge devices used.
Finally, there is the edge layer where you find most of the devices identified with the IoT, from sensors to actuators to combinations of those items plus a platform to run some functions in software.
It depends once more on what the business scenario is you’re implementing, whether you’re monitoring environments in office buildings or handling driverless vehicles in mining pits.
What is common among all of them from a security perspective is that you must use principles of risk and feasibility to determine where you will or should apply security controls in what may be a complex implementation. Again, it depends.