Securing IoT -- Better Now Than LaterSecuring IoT -- Better Now Than Later

Implementing IoT security is like buying insurance: the enterprise does not expect to file an insurance claim, but it must invest in insurance in case of a problem.

I am a protestor and want to make a statement by interfering with a company's Internet of Things (IoT) network. Maybe I want my local transportation system to respond to my complaints, so I cause disruption to its traffic control systems. I could be a disgruntled or former employee or student who is angry, and I want to ransom the IoT operation of an organization. I am a contractor who does not follow the security policies and procedures of my customer. Or maybe it's as simple as me updating my IoT devices and making a mistake that hampers IoT operations.

Any or all of these situations can be prevented with the judicious deployment of security features in an IoT network. The IT industry had to play catch-up with ferreting out IP endpoint and network security vulnerabilities after the fact; when implementing an IoT network, the same sort of catch-up can be mitigated with proper security planning.

One of the dangers with IoT is that it may be implemented by operations rather than IT staff. This is potentially problematic because the operations staff usually has experience with physical security, but not with information security and networks, so security vulnerabilities may not be well anticipated or understood. But implementing IoT security provides an opportunity to get ahead of the game.

The single biggest observation about IoT is the number of potential endpoints that will exist. The number of endpoints per person today averages about 2.7, with some people using up to 7 endpoints. These endpoints could be cell phones, tablets, laptops, wearable devices, sensors (especially in business situations), etc. (see How IoT Endpoints Measure an Environment).

Most IoT endpoints are designed to be inexpensive, have a long operational life (five to 10 years), require little lifetime maintenance, have long battery life, and most likely communicate over wireless networks. The low cost is designed so that many endpoints can be deployed with a positive ROI; therefore there is a modest budget available for security features to be included in the actual endpoints.

There is no single approach to IoT, standards a so each standard, as well as proprietary approaches, will have differing levels of security. There are security add-on products, but they may not protect all IoT networks equally. Some technologists even propose that a new architecture is required for IoT success.

Content privacy of sensor-generated data is one important aspect of IoT security. Within healthcare environments in particular, this data must be secured and needs to comply with regulations. The issues of content accuracy and integrity also come into play. The same could be said for corporate data. The organization's financial and operational health could be at risk.

Security issues include endpoint access, data transport over networks, embedded applications at remote locations and the data center, and laws and regulations that cover personal and financial data. Other factors include:

A major difficulty when a security breach occurs is determining how bad it is. The impact can range from minor to catastrophic, and it's not always easy to determine who has been affected. Next, the impact of the security problem on the users and network and data centers can take a while to discover -- sometimes months, as has been the case in recent retail security breaches. A well-planned security breach can go undetected for as long as a year, which makes it even more difficult to assess the impact.

There are five objectives for any IoT security:

These goals must be reasonably economical to implement. If too expensive, it is possible that the IoT implementation cannot be afforded.

Paying for security is a tradeoff between protection, risks, and budgets. A really secure IoT environment may be unaffordable. The enterprise needs to evaluate the risks for different levels of security investment. The security solutions have to be easy to implement and manage.

It is relatively easy to calculate TCO; it is hard to produce a positive ROI. Those proposing the security investment have to perform due diligence by studying other organizations' security problems and how much the problems affected a particular organization's expenses. Implementing security is like buying insurance: the enterprise does not expect to file an insurance claim but it must invest in insurance in case there is a problem.

Security investment needs to cover six areas:

The enterprise may choose to outsource much of IoT operations to a cloud service, thereby outsourcing most of the security investment to the cloud service. This means less IT staff effort and a faster time to implementation, which is especially attractive if the number of IoT endpoints is expected to rapidly increase. Cloud services can scale faster than an internal system and network. The adoption of standards as well as complying with regulations becomes the problem of the cloud service provider. If the implementation of IoT is to be performed by operations rather IT personnel, then the cloud approach is probably the safest and fastest method to adopt.