Security issues with smart, connected devices have been in the news quite a bit recently. From baby monitors being hacked to NEST thermostats leaking user data, there is growing concern over data security and privacy in this age of the Internet of Everything.
Just this week in the National Intelligence Assessment, the national security assessment of the US government, cyber security and the Internet of Things stood out as the two biggest security concerns.
This level of concern over IoT security is not “new” for manufacturers of smart, connected devices, but it does amplify the issue and pressure for device makers to make sure security is a top priority within their IoT strategy. This topic has been debated and discussed throughout the industry and is especially gaining momentum as more and more enterprises increase their IoT initiatives. Last year, it was one of the most popular panel discussions at LiveWorx 2015 with participants engaging in an insightful discussion around how to support and protect connected products and applications against viruses and hackers. And a recent survey by Internet of Things World USA found data security and privacy concerns as one of the primary non-technical IoT challenges that companies have when implementing IoT strategies.
Many concerns center on securing data but the security of smart, connected devices can often times mean a lot more than just data. In a recent Harvard Business Review webinar, PTC CEO Jim Heppelmann said “a lot of times when we think of security we think of data compromise, somebody's going to steal credit card numbers. But here we're potentially talking about control compromise, which is somebody is going to gain control of an automobile or a product in the factory or what have you, and that's a much graver concern.”
With all of the fear over data and control breaches, manufacturers have definitely made security a priority. But many struggle to overcome this obstacle and are evaluating and adapting their internal processes and systems to address the security of their connected devices. Add to this a shortage of talent with information security skills and the complexity of this issue for manufacturers grows. Among the many questions that arise over how to secure devices, a recent study by TEKsystems found that information security experts are cited as the most difficult skill set to find.
Addressing the security challenge
What is the best way to address the challenge of IoT security? Manufacturers are already finding that their organizational structures need to be assessed and modified to meet the requirements and challenges of IoT. The issue of security is certainly among the IoT challenges making an impact on organizational structure. It is an issue that affects multiple areas of a company not just IT and organizations must figure out how to reorganize their internal infrastructure to make sure that the appropriate stakeholders are involved in the strategy and process to address the security challenge.
There are a lot of recommendations on how to effectively address the issue of IoT security.
An article in ReadWrite on IoT security concerns this past week highlights a 2015 report from the Federal Trade Commission (FTC) on IoT privacy and security that issued recommendations for companies that create and develop IoT devices that included “build security at the outset, rather than as an afterthought in the design process” and “monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”
Heppelmann echoed the sentiment that security needs to be part of a product’s design process in the recent Harvard Business Review webinar. “We're going to have to think about, "How do we design security in?" We're not going to just be able to have virus control and add patches later. We're going to have design for security and make that a first principle in the engineering phase of the product design.”
The Harvard Business Review article “How Smart Connected Products are Transforming Companies”, co-authored by Harvard Business School Professor Michael Porter and PTC CEO Jim Heppelmann, says there should be shared responsibility for security and that for most companies executive oversight of security is in flux. “Security may report to the chief information officer, the chief technology officer, the chief data officer, or the chief compliance officer. Whatever the leadership structure, security cuts across product development, dev-ops, IT, the field service group, and other units. Especially strong collaboration among R&D, IT, and the data organization is essential.”
The issue of security is not going to go away and is one that any company on the IoT journey will have to commit considerable time and resources on in order to secure their brand and maintain their customer’s trust in their products and devices.