Digital transformation is valuable and essential, but it creates digital risk. Smart organizations understand this, even as they aggressively take advantage of technology mega-waves like cloud, mobile, analytics and artificial intelligence.
Yet there’s another mega-wave that exists largely outside of IT’s control and has introduced its own digital risks. Over the coming years, the number of IoT devices in use will multiply, soon dwarfing the number of computers and other IT assets connected to networks and producing an immense volume of data. IoT is useful because it bridges the gap between the physical world and the digital world, enabling the management of real things, not just those abstract objects you can represent in software code. This has fueled entire classes of IoT, from industrial and medical to a universe of consumer IoT that vendors must manage.
Risk and security groups are awakening to this large — and largely unmanaged — dimension of their IT infrastructure. One IT security executive at a large manufacturing company, which traditionally had a permissive policy that allowed employees to add IP-based devices wherever needed, told us, “There are tons of devices connected to our network that we have no idea what they do or who owns them. All we can do is unplug one and wait for somebody to scream.” Another customer compares their IoT population to kudzu, growing so fast and uncontrolled that it overwhelms any hope of managing it.
Fortunately, relief is in sight. Two separate IoT revolutions are underway: edge computing, which brings all IoT together on a single platform; and Standards and Frameworks, which introduce coherence for the IoT industry for new products and projects. Together, they offer a promise to tame the current IoT hairball, while setting the stage for simple, powerful IoT risk management going forward.
IoT Edge Computing
IoT emerged largely beyond the purview of IT, security and risk teams. Traditionally, it’s procured, deployed and managed by operational groups. As these are truly mission-critical systems, the priority has been around uptime and safety, while manageability, security and risk have received less focus. Many of these devices were originally designed for air-gapped (isolated) networks, with anticipated lifespans measured in decades, and suffer from limited CPU and data storage, and often no ability to easily patch and secure over time.
The specialization of these systems resists any unified management approach. Especially in OT/ICS, the range of industry- and solution-specific protocols and APIs make it nearly impossible to inventory, authenticate and secure using any common platform. Instead, we see many siloed products and services, each managed individually and usually outside of IT control.
IoT edge computing inserts a layer between the devices and the data centers to which they connect. Devices attach to small hardware or software gateways deployed close to them in the segmented network. This effectively adds local data processing, while introducing the opportunity to apply discovery, authentication, management and security controls. Gateways are general-purpose and can connect to any type of IoT device – even specialized OT/ICS devices when configured with the right protocols and parsers. Gateways can control devices and pass processed data onward to the data center, saving bandwidth and optimizing things like security and privacy.
Each gateway is responsible only for the devices that are attached to it, so they process at high performance with low latency. The gateway accepts plug-in agents for added feature and function, for things like manageability, security and analytics. For example, RSA IoT Security Monitor passively forwards metadata to a cloud security monitoring service, which applies threat intelligence and behavior analytics to detect anomalous, and potentially illegitimate activity like a device that connects to a known bad IP, or exhibits a big change in upload/download ratio.
That’s just one example of an IoT edge solution. Open Edge platforms such as EdgeX Foundry, a Linux Foundation project, allow innovation from any direction and support large communities of developers and service providers. Commercial products and even cloud Edge solutions are available as well. The main feature is support for IoT devices out at the edge – close to where they are – for granular control, local processing and low latency. This goes a long way toward cleaning up the existing siloed IoT world, while preparing for billions of new devices on the way.
Standards and Frameworks
The other traditional issue with IoT – especially IoT subsegments such as industrial, medical, military, and Smart Cities – is that solutions tend to be proprietary and locked to a single vendor. The emergence of standards and frameworks is making IoT simpler and safer, while increasing optionality – particularly important in an area like IoT, which increases risk in many major areas, including process automation, cybersecurity, third-party, business continuity and privacy.
Standards and frameworks now exist for many critical areas, including machine-to-machine communication, secure industrial automation and control systems (IACS), authentication and authorization, HTTP transfers, lightweight messaging and real-time data exchange. Cybersecurity standards for device manufacturers address supply chain vulnerabilities. Identity standards are being finalized that bring IoT unique identifiers into the world of identity governance. Finally, open architectural frameworks impart design consistency to IoT projects, and open standards for Edge and fog do the same for new close-to-the-device solutions.
It sounds like a lot of standards, but you can pick and choose; adopting any one of them will likely improve your IoT maturity. Importantly, you can manage conformance with many standards with online tools, or enterprise integrated risk management platforms such as RSA Archer Suite, which has modules (app packs) for new IoT projects and for measuring your IoT security maturity.
The Future Looks Bright
For many risk and security professionals, the emotion generated by the IoT explosion is somewhere between fear and exasperation. But with transformative evolutions in edge computing and standards and frameworks, the road to a more manageable and secure IoT universe is opening up before us. For more information, checkout the IoT@RSA page.
If you’d like to learn more, I’d invite you to tune into my presentation from the RSA Conference 2020 Asia Pacific & Japan virtual experience, “20/20 Security Vision: Managing Digital Risk in the Era of IoT.” During this session, I unpack and expand upon some of the topics addressed in this blog post, including: emerging standards, open source IoT frameworks and industry best practices to mitigate IoT threats and manage risk.