Research Library
Monthly Research
& Market Commentary


Securing the Internet of Things – research commentary

The business opportunities presented by the Internet of Things (IoT) are generating a lot of excitement in the IT community, and rightly so. Innovative devices and embedded smart capabilities can transform the customer experience, enhance functionality, improve product maintenance, and create new business propositions such as subscription models or new forms of data analytics.

Securing the Internet of Things

Security researchers and the media have recently been having a field day identifying IoT security weaknesses.

However, the IoT presents important new security and privacy challenges. Security researchers and the media have recently been having a field day identifying IoT security weaknesses – not just in the lab, but in devices that are in widespread use. Recent examples include:

  • TV home entertainment systems that have turned on built-in cameras and microphones without customer permission.
  • Cars, light-bulbs, door locks and refrigerators that have been remotely controlled by attackers, or infected by malware so as to become part of a ‘botnet’.
  • Studies by both commercial and university research groups that have catalogued numerous IoT software weaknesses, and shown that many phone apps (including medical ones) have been poorly designed and risk exposing sensitive customer data.
  • Ford was widely criticized after an executive said that it could (in theory) monitor speeding infringements made by its customers.

This commentary is drawn from our recent LEF research paper which provides an overall framework for developing an IoT security process.

Privacy, reputation and stance

The potential benefits from the IoT can be enjoyed by the supplier, the customer, or both. But explicit permission is often needed for new data collection and usage. There are two main scenarios:

  • A company collects information to provide additional/improved functionality and services of potential benefit to the customer.
  • A company collects and uses customer information to help in managing its own business (for example, proactive maintenance, cross selling or on-selling of data).

Of course, none of this is new in a world of loyalty cards and web usage tracking, but the pervasiveness, volume of data, and physical proximity of IoT can make the subject very emotive, and getting these issues wrong can have disastrous implications as customers will reject products or services seen as untrustworthy. Proper IoT security can help by demonstrating that privacy commitments are being honoured. But first and foremost a company deploying IoT capabilities needs to decide what its stance will be on data collection, use and sharing, as well as the security performance standards that it will meet.

The need for an overall model for IoT security

It is often tempting to define IoT security requirements purely by the first application that emerges. However, the initial set of IoT applications will often expand significantly over time. As we shall see, security strategies must take into account the likely evolution of the purposes to which an IoT system will be put, and the future stakeholder environment it will be part of.


Similarly, the initial IoT security focus is typically on the ‘micro element’ of the device – outside of the context of the corporate network – even though we know that most devices cannot securely operate without the ‘macro elements’ of applications, data stores and services. These macro elements must be in place because a device on its own does not know if it can trust messages from other components or services unless it has them authenticated by an authority that it can recognize. Our paper fleshes out both the key micro and macro security dimensions.

Development and operation

The examples of IoT security lapses provided earlier show that firms need to consider what security functions an IoT system can perform, how security and integrity are maintained and how well systems are developed to avoid security vulnerabilities. We recommend the following seven steps:

  1. Take an end-to-end view of risk – Assess risk and model/build security across the entire data flow, including devices, applications, storage, brokers and apps.
  2. Secure development – Build the components of IoT using robust development methods to reduce vulnerabilities, and then independently test the security of each component.
  3. Maintain integrity – The systems provider should accept responsibility for on-going security management; this task should not be delegated to the end customer.
  4. Preserve ‘agency’ and control – Systems should be deployed so that they only accept instructions both with the explicit consent of the customer and through channels authorized by the system vendor.
  5. Build-in resilience – Design system components to operate in an environment of hostile devices and allow restoration to a trusted state if components are compromized.
  6. Maintain future trust – Design security that is appropriate for the most sensitive anticipated usage.
  7. Seek outside assurance – There should be a level of independent verification so that the customer can trust the integrity of the system. Cyber insurance is another increasingly important option.
    Selection of solutions and standards

Many companies will choose not to develop their own IoT solutions. Instead, they will rely on the suppliers of OEM
devices, software development toolkits and even cloud services vendors. Thus effective vendor selection is now a key IoT security requirement. Unfortunately, deciding which IoT security consortia to follow and what security standards to adopt remains difficult.

Examples of some of the industry initiatives include the AllSeen Alliance (including Qualcomm, Cisco, Microsoft and many consumer product vendors), OIC – Open Interconnect Consortium (Dell, Samsung, Cisco and others), Thread Group (including NEST and ARM), HyperCat (including ARM, BT and Rolls-Royce), HomeKit (Apple) and the Industrial Internet Consortium (including GE and AT&T). There are also specific initiatives in healthcare, energy (smart grids and smart meters) and automotive (such as MirrorLink). More broadly, some of the thinking about security outside of the corporate network that originated in the Jericho Forum on the Open Group is being continued by the Global Identity Foundation.

Most of these groups are still in their early stages and they should be questioned regarding secure development and ongoing security management. The current situation remains confusing, and these issues need to be simplified if the IoT is to fulfil its potential.

Evolution and regulation

Many of the most exciting IoT benefits will come from automatic machine-to-machine communication – from one type of ‘thing’ talking to another, such as a home thermostat that turns on the heating system when your phone’s GPS knows you are heading home. Many such automatic intervention services will be possible as more IoT and communications capabilities are deployed.

However, serious risks can come when the trustworthiness of one ‘thing’ is not consistent with the security needs of another.

However, serious risks can come when the trustworthiness of one ‘thing’ is not consistent with the security needs of another. For example, there is clearly a close connection between fitness and health, and a fitness sensor monitoring heart rate can provide valuable data to a medical application. But what happens if the fitness device vendor has not adequately protected its own data or device, or if it has a different privacy policy, and sells data to insurance or marketing companies? This juxtaposition of critical/regulated applications with those of hobbies/leisure is just one illustration of the security gaps that can arise.

Regulation in these areas is still embryonic. While general data protection regulations will often apply when personal data is being captured and used, specific sector regulators are still considering the various IoT implications, and thus there are many grey areas.

Conclusions

The emergence of the Internet of Things represents an even bigger step change to the corporate information security environment than we saw with the growth of cloud computing. IT leaders should engage as early as possible with interested business-side colleagues and devise an approach that articulates a clear company IoT security strategy, positions the company within the IoT ecosystem, and puts in place the benchmarks and processes needed to keep IoT projects and initiatives on track. Our recent paper will help clients in all of these areas. We particularly recommend that CIOs seek authority commensurate with their accountability. The time to start working on these issues is now.

JOIN THE CONVERSATION

*{{ error }}
*{{ error }}
*{{ error }}
captcha
*{{ error }}
*{{ error }}
*{{ error }}

DOWNLOADS

Research Commentary

PDF (72.2 KB)

AUTHORS

David Moschella
Research Fellow
David Moschella, based in the United States, is a Research Fellow for Leading Edge Forum.  David's focus is on industry disruptions, machine intelligence and related business model strategies.  He is the project lead for our 2017 research into Disrupting ‘The Professions’ – Scenarios for Human and Machine Expertise. David was previously Research Director of the programme. David’s key areas of expertise include globalization, industry restructuring, disruptive technologies, and the co-evolution of business and IT.  David is the author of multiple research reports, including 2016 Study Tour Report: Applying Machine Intelligence, There is Now a Formula for Machine Intelligence Innovation,  Embracing 'the Matrix' and the Machine Intelligence Era and The Myths and Realities of Digital Disruption. An author and columnist, David’s second book, Customer-Driven IT, How Users Are Shaping Technology Industry Growth, was published in 2003 by Harvard Business School Press.  The book predicted the shift from a supplier-driven to today’s customer-led IT environment.  His 1997 book, Waves of Power, assessed global competition within the IT supplier community.  He has written some 200 columns for Computerworld, the IT Industry’s leading publication on Enterprise IT, and has presented at countless industry events all around the world. David previously spent 15 years with International Data Corporation, where he was IDC’s main spokesperson on global IT industry trends and was responsible for its worldwide technology, industry and market forecasts.    

CATEGORIES

21st Century
Adaptive Execution
Assets/Capabilities
Identity/Strategy
Proactive, Haptic Sensing
Reimagining the Portfolio
Value Centric Leadership

ALSO IN THIS CATEGORY

Jaws 2017 – Amazon Takes a Bite Out of Another Industry
21 Jun 2017 / By Bill Murray
Black Swans over Hounslow
09 Jun 2017 / By Glen Robinson, Bill Murray
The Word is Still More Powerful than the Sword Light Sabre in the 21st Century
09 Jun 2017 / By Dave Aron
Strategy in Business – Should I Take the Blue Pill or the Red Pill?
05 Jun 2017 / By Simon Wardley
The Unbearable Lightness of Data/ The Unbearable Heaviness of Data Protection
08 May 2017 / By Dave Aron