The growth of the Internet of Things (IoT) is engulfing many organizations. Big deal. Organizations have learned to cope with the “digital transformation” threatening to disrupt businesses since the ‘90s. IoT, however, is different. Leveraging proven concepts, technologies and business models like software as a service, cloud, mobile and big data, IoT is being adopted at a much faster rate than all these technologies to the point where stakeholders who need to apply strategic thinking and control the mess are overwhelmed. It could be especially overwhelming for physical security practitioners who, in recent years, witnessed their businesses change from analog to digital, from on-premise to the cloud and from a traditional business model to an “as-a-service” one.
One of the methods the corporate world has devised to deal with rapid, frightening transitions is risk management. Risk professionals are needed whenever a big change is imminent because they strategize how to best adopt change, implement a process that takes account of the risks and adjust the organization’s commitment and exposure according to the developing landscape. Recent examples of such processes include the adoption of cloud and mobile technologies. Organizations that operate in non-regulated environments have been forced to consider these technologies, assess the risk embodied in each one and plan a cautious route towards slow and gradual adoption.
The sheer speed at which IoT is moving, however, will not allow organizations such time to stop and think before implementation. Moreover, clear regulations and standards relating to IoT security and privacy are still in development and will take several years for processing and adoption. Yet ignoring the risks of implementing prior to considering the results is a dangerous gamble. So how are risk professionals supposed to act?
Adopt Everything You Can From IT Security
IT security has been around for over 20 years. The basics haven’t changed much, and the theoretical foundations are still solid. Connected devices security and risk assessment should emulate IT security as much as possible. For instance, organizations are not adept at checking their own security mechanisms, so it is a common practice to hire external penetration testers to handle the internal organizational check. Similar activities can be performed for device security.
Remember the main differences
IoT security differs from traditional IT security in one major aspect: IoT security emphasizes ensuring the trustworthiness of devices and the privacy of users (and in extreme cases, their safety) while IT security is focused mostly on securing data. While both forms of security are important when gauging overall network security, all risk assessment and mitigation activities should be conducted with this crucial distinction in mind.
Define the assets
As written above, IoT security is about securing the devices, so the definition of an “asset” is different than in IT security. IT security might define a server as an asset, because it contains valuable information. As such, there is a finite but small number of assets to secure. In IoT security, all assets are equal and need security, so outdated perceptions about risk and security cannot be applied without modification. Bear in mind that the scale is different – a video surveillance service provider could be looking at securing tens of thousands of cameras.
Define the risks
IoT risks include damage or modification to the device, creating low availability, risks to privacy and compliance and safety. As such, traditional means of risk reduction like encryption of data, backup and improved user awareness are simply inadequate. Much more robust, automatic detection and enforcement technologies are required to prevent these risks from manifesting.
Define the risk appetite
Knowing the risks and assets allows you to define a suitable risk appetite and plan your risk and security accordingly. Perhaps when discussing IoT security, the term should be redefined to risk “tolerance”; it is impossible to remove the risk or reduce it to zero when considering millions of devices. Organizations must decide which devices they are willing to sacrifice and which are critical. For instance, a smart lighting pole gone rogue is a nuisance, whereas an IoT gateway tethering dozens of smaller sensors gone bust is another thing altogether. Problems surrounding connected devices that perform critical actions, such as sewage pumps and water sensors/actuators, can create chaos.
Seek technologies and processes
Once assets are defined, risks are understood and priorities are set, it is time to select the right security monitoring technology. There are currently few options that enable risk officers and other IoT security stakeholders to have complete visibility into their IoT deployments in real time to enable informed decision making – nevertheless, organizations must strive to achieve such a level of awareness and monitoring, mitigating problems to the greatest extent possible.
Implement and re-evaluate
Implementing a security solution for connected devices in a live production environment can be tricky, so planning in advance and testing on a subset of the system (without deploying to all thousands of devices at once) are recommended. After the solution is up and running, it is imperative that the risk and operational departments discuss the results, determine the accepted thresholds for the monitoring systems and agree on incident response plans.
As if the growing number of cybercrime regulations and customer concerns aren’t enough to handle, risk professionals now must accommodate the whole new technological and conceptual world of IoT and connected devices. Following proven processes –with necessary adjustments – will ensure that they are able to provide their organizations with solid guidance on safely adopting this new technology.