IOT - When Rubber Meets the Road

By Harshad Mengle, CISO, L&T Finance

According to researchers, a lot of people are excited about IoT, but development is relatively slow. Predictions are more than a billion devices would be connected to the Internet in 2017 and we will go to 26 billion IoT devices by 2020 which will be generating $300 billion in revenue for manufacturers and service providers. If we do past few months’ analysis, what many of the leading companies have done are technology-driven transformations across industries and they are leveraging transitional strategies, or more specifically transitional business platforms. 
 

Few old-guard players have recognized the power of transitional models, but companies such as Netflix, Uber, Apple, and Tesla know that waiting for the time means waiting until it’s too late. From 3D printing to crowdfunding to the Internet of Things and data analytics, all of these technologies enable us and provide what customers want, where, how, and when they want it. Businesses which will map technology and provide cost-effectively model shall win. Reliance on technology will increase and continue to assist the demanding business. 

IoT is about using smart devices to collect data that is transmitted via the Internet to other devices are going to be strategic priorities. Technology is closely related to machine-to-machine (M2M) technology which is not new. A majority of today's IoT solutions are designed in an ad hoc manner. Depending on the business domain and on the targeted platform (OS, H/W capabilities, etc) often incompatible architectures are implemented which pose high technology and business risk. Unless the companies that make these interconnected devices overhaul their Digital Security Practices (DSP) and incorporate them into development processes earlier, IoT will be Dead on Arrival. IoT can demonstrate meaningful business values today, but there are still significant challenges to meet. These “things” will come in all shapes and sizes, from three-ton automobiles to clothing to under-the-skin blood sugar monitors and even our entire home. Reaping the business rewards will depend on the ability to design and build a networking infrastructure that successfully manages the flood of data that comes from this new Internet, the Internet of Things (IoT).

Threats to data security, physical security, security of devices, regulations, privacy, encryption, authentication and a host of other issues all need to be addressed before the IoT can really become common place. These issues sound eerily similar to the ones surrounding the Cloud only a couple of years ago. 

There also could be possibility that organizations allowing Personal IoT (BYIoT) to connect might pose challenges similar to that of BYOD.

Basic IoT Security Framework and controls
The IoT entities will generally not be a single-use, single-ownership solution. The devices and the control platform on which data may be consumed and shared could have different ownership, policy, managerial and connectivity domains. The appropriate identity controls and building trust relationships between entities to share the right information is equally important. Some of the challenges include :

• Authenticate to multiple networks securely
• Ensure that data is available to multiple collectors
• Manage the contention between that data access
• Manage privacy concerns between multiple consumers
• Provide strong authentication and data protection (integrity and confidentiality) that are not easily compromised
• Maintain availability of the data or the service
• Allow for evolution in the face of unknown risks

Few Recommendations while considering IoT in an Organization
1. Perform a risk (Process and Technology) analysis to understand threats and unique mitigations to apply to a new IoT deployment 
2. Perform a Privacy Impact Assessment to understand potential privacy concerns exposed by the new system 
3. Define and implement network segmentation architecture to segment less-trusted components 
4. Consider secure application development approaches applied to each product 
5. Extend your Continuity of Operations Plan (COOP) by mapping IoT segments to business functions 
6. Design a process for life-cycle management

 7. Identify the approach for tracking of Mobile IoT components (geolocation, asset management) 

8. Define an approach for capturing audit data and integrating into a SIEM /Data Analytics System 
9. Update Incident Response Plans 
10. Create IoT-specific training material 
11. Develop a cryptographic key management plan 
12. Integrate IoT components into existing authentication framework 
13. Setup a Continuous Monitoring Capability for IoT security 
14. Consider Physical Security Controls 

Today, consumer devices are the focus, and service providers will work to find new ways of driving greater operational efficiency and better management of infrastructure—for themselves and their customers. The challenge in harnessing this powerful force isn’t limited to managing the sheer volume of data created. It’s also making sense of that data to prioritize traffic and optimizing the application architecture itself.

Going forward striking a balance between Security and Innovation shall be challenging and complex, instead incorporating Information security during innovation will be ideal for digital security. 

Don't Miss ( 1-5 of 20 )