A practical approach to IoT security
IoT hit the peak of the Hype cycle recently, so according to analyst firm Gartner we are on our way down into the Valley of Disillusionment. Ish. Based on an informal polling of the blogosphere, says Dr Scott Nelson of Logic PD, security is likely to be the gravity that pulls us down the slope.
Securing systems on the Internet is not easy and the enemy continues to evolve. Given recent news articles about the hacking of everything from insulin pumps to grocery stores one might say it is impossible. I should say ‘enemies’ – plural. IoT security has multiple enemies: human error, poorly designed or tested software, paparazzi, individual stalkers, hackers, governments – the list goes on. Security is important, in many applications critical, but it is also fleeting.
I have heard more than one security consultant say that no system is impenetrable and ”if your electronic payment system hasn’t been hacked it’s only a matter of time.” Yet we conduct billions of dollars of commerce over the internet every day. The answer to IoT security is a combination of appropriate technology, contextual awareness, and good business judgment. Basically, we need a practical approach to the seemingly impossible task of IoT security.
When it comes to technology, there are good security standards in place and have been since the early days of the Internet. Web browsers, operating systems, and many applications already use secure technologies like TSL, SSL, and Secure Elements. Apple’s recent announcement of Apply Pay shows that new technology is not the issue: Secure Elements, biometric sensors, and encryption are all standard issue in mobile devices today. Many of the recent security breaches in the news have been shown to be errors either in the deployment of the security or user error in the use of the security technologies available. The first step then to IoT security is to properly deploy and use the standards and technologies that exist. Use good practices like multi-modal authentication and secondary keys to deter simple, brute force attacks.
Since information security technology is vulnerable, it creates a business risk. How should IoT companies deal with that risk? To best do this, organisations must first understand the context for security in terms of customer needs, market expectations, and threat behaviour. First let’s look at the needs that motivate an enterprise to pay for security. The needs for security at the enterprise level come from the needs of the enterprise’s customers which in turn become expectations of the brand. The needs can be grouped into three types:
- Assurance-knowing that the data provided or processes controlled by the data are timely, truthful, and accurate.
- Privacy-knowing that access to data and information is controlled and limited to those who are allowed to have access.
- Liability-knowing that the value of the asset or process to which the data applies is protected.
Security is the currency of trust for these needs. The more secure the system the more customers trust both the system and the brand. Understanding the customer motivations from these needs as well as the link between security and trust provides a foundation for business practices to deal with the technical risk data security presents.
So where does an organisation start? Here are three steps to a practical approach to IoT security:
- Maintain your technical diligence – Keep your code makers current and accountable with outside audits and advice. The technology needed is available and the threats are understood, but the situation is dynamic.
- Prepare for the inevitable – Your systems, your suppliers systems, or your competitors’ will be compromised. Prepare your team for immediate action and your public response to address your customers’ needs. Be prepared to protect your brand by maintaining trust with your customers.
- Address all customer motivations for security – Your offerings should do more than comply with standards or use the latest recommended approach for your primary security need. Assurance needs can become liability and liability needs can transform to privacy. Make sure your approach to meeting customers’ needs is comprehensive – manage the trust they put in your brand.
Internet security is going to continue to be an issue. The well prepared enterprise will understand what motivates customers to pay for security, even pay a premium, and will not only address those motivations with their solutions but also have a plan to restore trust immediately when the inevitable occurs.
As CTO and executive vice-president, Dr. Scott Nelson is responsible for leveraging Logic PD’s technology expertise and offerings across a wide range of markets with a focus on connected solutions and the Internet of Things (IoT). Scott has nearly 25 years of experience leading technology and product development. Prior to joining Logic PD in 2000, Scott worked for 3M and Honeywell. Scott Nelson is a frequent contributor to Logic PD’s Blog, Insights (www.logicpdinsights.com/) . He holds a Ph.D. in applied and engineering physics from Cornell University, a doctoral minor in business administration from the Samuel Johnson School of Management at Cornell University, and a B.A. degree in physics and mathematics from St. Olaf College.