The security of connected devices is a charged topic. Breaches make for headlines, unhappy customers, fines and firings. As a result, if you’re considering an IoT project, sooner or later your bosses are going to ask you what you’re doing about security. Here are some of the things you should talk about.
To start with, it should go without saying that most executives are not very interested in deep dives into protocols, architectures or encryption. These details matter! But your conversation with the CEO is probably not the best time to demonstrate your deep knowledge of IoT security tech.
Invest for success
IoT is important to your organization in the context of digital transformation and associated new types of business models and services. It’s the source of new revenue, cost-savings or both. If you can’t tie an IoT project to hard dollars, maybe shouldn’t be doing it.
Talk dollars and cents with security too. Security needs to be invested in. Which is to say budgeted for. A lot of lip service gets paid to IoT security. Needed dollars? Not so much. Security isn’t free. Failure isn’t free either. Yet, lack of investment in security is effectively the same as investing in failure.
IoT security is different
Emphasize that IoT security is not business as usual. Oh, in some ways it is. Security should be built in and not bolted on. You need to systematically manage the access of insiders, partners and customers. Security is still about limiting and containing damage caused by system failures and successful penetrations.
But IoT also introduces new attack vectors and can amplify the consequences when something goes wrong. Taking full advantage of IoT means that far more devices are connected by default and far more data is often collected. Software is already embedded in many critical systems. But IoT replaces many manual and disconnected controls with software-driven ones that can directly affect the physical world at scale.
Add it all up and it’s not hard to see that lack of investment in IoT security can have serious consequences.
At the same time, too much focus on eliminating risk leads to paralysis. The goal should be to manage risk.
This means considering the entire system in a programmatic way. What are the benefits of connecting specific components to the network? What are the benefits of collecting specific types of data?
And what are the risks?
Maybe you don’t connect critical pieces of physical infrastructure to the internet. Maybe the power plant doesn’t need to be online. These discussions often need to start happening early on in the procurement process. They drive what you ask for from your vendors. And it often comes back to money again. How much are you going to spend to improve the safeguards around particular types of components?
As part of managing risk, understand which regulations may apply. This is particularly relevant when third-party data, such as customer information, is collected and stored.
For example, various rules regulate how the data on individuals can be collected and stored. Perhaps most notable is the General Data Protection Regulation (GDPR) in the European Union. This requires, among other things, that the use of the data should be limited to the purpose for which the data was requested.
Data sovereignty rules may limit the storage of certain types of data to specific countries or regions.
It’s a long game
Emphasize that implementing and maintaining IoT security is a long-term commitment.
Many of the devices used in industrial IoT systems have a lifecycle measured in decades. They’re maintained through their life and that maintenance needs to include their software, because unpatched software is insecure software. In many cases, this requires that the manufacturer make software updates available. (One more item for procurement negotiations.)
Certainly some software systems have themselves been long-lived. But today the overall expectation is that software is increasingly disposable. With IoT, the pace of change and lifetime is more aligned with operational technology (OT) than information technology. (Though the pace of OT is picking up to align with IT as software plays a bigger and bigger role in almost all industrial systems.)
And that’s a good point to close with as you wrap up your executive briefing about IoT security. In important ways, IoT sits at the convergence of IT and OT. It shares aspects of consumerized IT: improved user experiences, new types of services, rapid advance. But it also has a foot in an accelerating the OT world, which brings with it a strong expectation of reliability, safety and, yes, security.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.