The Internet of Things, the connection of physical-first products on a multi-point basis and their exposure to digital applications, represents the next frontier for the cybersecurity industry. Certainly, the Things in the IoT are having a significant impact on companies, and their adoption and integration are radically transforming both companies and competitions. Professor Michael Porter and James Heppelmann, CEO of PTC, dive deep into this transformative change in their Harvard Business Review Article, How Smart, Connected Products Are Transforming Companies. Inevitably, the role of security needs to be critically revised and adapted to this new environment.
While recent media coverage has sought to expose the more sensationalist elements of hacked toilets and spamming fridges, the implications should not be brushed aside as solely hype. The issue with vulnerable Things is no less significant because it highlights the worrying trend that secure product development is not the norm among manufacturers and application developers. The reason for this omission is primarily dictated by market forces (security is still an added cost), and the lack of uniformity when applying security across people, processes and objects.
Overbearingly though, cost is the factor that comes into play the most when considering security. The trade-off between cost and benefit is one that is all too familiar in the security landscape. Does the cost of implementing security justify the risk? Unfortunately, risks are difficult to quantify in the IT landscape, and even more so at the IoT level because new variables need to be factored in (such as the cost of human safety when using cyber-physical systems). The ramifications are sometimes difficult to see in the complex hetnets that form the fabric of the IoT. While technicians and engineers may well understand the risks, these are always difficult to translate at the C-level, not least because they need to be rendered into financially defined risks.
The IoT is not alone or unique in being plagued by the difficulties of resolving cost / benefit dilemmas. These issues are not unresolvable, but they require sometimes drastic changes in mindset, even for the main protagonists pushing smart, connected products. They can be implemented, and they are being effected by a small, but dedicated, niche of vendors keen to provide a solid foundation for the continued emergence of the IoT.
Ultimately, security considerations for IoT need to apply to people and processes as much as to the intelligent objects. On the people side, this involves defining, applying, and auditing security practices and rules. With regard to processes, information security risk assessments and strategies need to be put into place. In addition, security controls should be implemented and processes monitored and updated accordingly. The security considerations are as broad as they are varied and include: key management (embedding keying material at manufacture and provisioning new keys during operation), hardware anti-tampering security modules ensuring processes for secure software development, establishing and provisioning access control policies, and managing software updates and patches, among other tasks.
In large part, the various considerations for hardware, software, or network-level security can be addressed more effectively at the start of a product development project. Internally, the process should involve more than just the product development team (such as the engineers or dev-ops teams), but also for example the IT and security department, privacy officers, and lifecycle management executives among others. External factors also need to be included in this process, with considerations regarding the underlying transport infrastructure, the impact of heavy usage, the potential damage in case of subversion or hack, the protection of the product’s own intellectual property, etc. The difficulty, of course, is that there is no holistic view or end-to-end security architecture for IoT security. The various phases and composite elements need to be looked at individually and various security technologies applied all along the process. This does not mean that one cannot be created; on the contrary security design and lifecycle management is possible through effective collaboration from inception and equal dedication to ensuring security is understood and applied for people, processes and technologies.
This is the eighth installment in a series of guest posts by leading industry analysts covering topics found in the new Harvard Business Review article, How Smart Connected Products are Transforming Companies, co-authored by PTC CEO, Jim Heppelmann, and Harvard Business School professor, Michael Porter.