OK, let’s get the blah-blah-blah out of the way.
IoT is a huge market opportunity.
It is transforming how data is created, captured, and harnessed for business advantage.
Tens of billions of smart devices will be connected to each other within the next few years.
If your organization doesn’t have a comprehensive IoT strategy, you are falling behind.
IoT must be part of your cybersecurity strategy from the start.
Yeah, yeah. It’s all true. So what?
The second-most-important thing you need to know about IoT security is this: As exciting and important as IoT has become—and will become—for your organization, it also is dramatically expanding your cyber threat vectors. The more you make IoT an integral part of your products, services, and business processes, the more you have to pay attention to risk. If you can put a chip in it, slap a sensor onto it, connect it to the cloud, or network it to your data center, it can be hacked.
And what’s the most important thing you need to know about IoT security?
You can’t solve the problem of IoT security by hiring more security analysts, buying more tools, or subscribing to more threat intelligence services—at least, not just by doing those things. Actually, each of those things is a necessary part of your IoT security strategy. But you need to do more.
Specifically, you need to make automation the linchpin of your IoT strategy. More specifically, your focus on automation has to be centered on, but ultimately go far beyond, IoT security. Your approach to automation needs to include a commitment to automating the entire network stack, your applications, your devices of every manner and function, and your IoT-transformed business processes. As important as it is to automate IoT security, don’t fall into the trap of doing automation in a piecemeal manner. If you don’t look at automation in a holistic, end-to-end fashion, you’ll end up with “automation silos” just like IT organizations built “islands of information” without any clean, efficient, or reliable connectivity among the data.
The reality is that all those IoT devices—from onboarding to implementation to ongoing management—are creating holes in your systems. And those holes are causing more network threats, especially with the increased use of network technologies such as cellular, WiFi, virtualization, and micro-segmentation. “If you’re just automating security for your little IoT project, attacks are slipping between the cracks of your automation,” according to Jamison Utter, director of business development at Palo Alto Networks. “Attackers are coming in from different angles—Bluetooth, RFID, WiFi—and the firewall sees them as separate events and doesn’t recognize the big picture. Only automation ties that together, and it has to be planned and implemented across the entire network stack. Hiring more security analysts helps, but it’s not nearly enough.”
The other thing to keep in mind here is that the sheer volume of smart devices being added to the network grid, and the astonishing rate at which that is happening, has put too much pressure on already-overworked, typically under-resourced internal teams of security analysts and monitoring tools. “We must find a way to automate up and down the architecture—infrastructure, applications, processes—in order to avoid the fire drills of early-generation IoT security,” said Utter. “Comprehensive automation gets us out of the ‘detect and respond’ mindset and replaces it with one centered on prevention—stopping the threats before they propagate across the network.”
He’s not alone in thinking that way. Research indicates that the vast majority of networking and communications decision-makers consider automating network connectivity to be essential to successful, secure IoT programs over the long haul.
So, forget about the big numbers your board presentations use in talking about IoT—billions of smart devices, trillions of dollars in added economic value, and so on—and focus on broader, more pragmatic issues. For instance, retailers should shift their thinking from how to implement item-level RFID on their merchandise to ensuring that their systems, workflows, processes, devices, and applications are automatically recognizing and communicating with each other securely.
If you bring a new handheld computer into your store to scan merchandise, or tote it out to your loading dock to check in pallets of goods, it has to be recognized immediately and automatically by your systems. If not, you have a big, big security problem, and it won’t matter if you’ve engineered security into that device.
Bottom line: If your IoT security automation focuses primarily or exclusively on devices or applications, you’re leaving a huge hole for the bad guys to exploit. And they will.