How to create a security strategy for IoT

Data captured by an enterprise IoT deployment must be kept safe if it's going to be useful. Here's how to build an IoT strategy that prioritizes security.
Written by Conner Forrest, Contributor

The Internet of Things (IoT) presents a major opportunity for collecting critical data that can be used to fuel digital transformation across the enterprise. Unfortunately, it's also one of today's biggest security risks to an organization.

The number of connected devices will top 20 billion by the year 2020, research firm Gartner predicted last year. These connected devices can help with an organization's automation and efficiency efforts, but they can be difficult to secure and often lack enterprise-grade controls.

However, with the proper security strategy in place, an organization can safely deploy IoT to meet their business objectives while protecting critical assets. Here's how IT and business leaders should go about building their security strategy for IoT.

SEE: Internet of Things policy (Tech Pro Research)

The strategy

Businesses should work to develop a specific, standalone IoT security strategy, according to Merritt Maxim, principal analyst at Forrester Research. Taking an existing security strategy and assuming it will work for IoT can be a huge mistake, he said.

Another mistake is to assume that there is an all-encompassing security solution for IoT, according to Gartner research director Barika Pace.

"The first thing I tell people is: Don't keep IoT security in a silo," Pace said. "Often times, people look for an IoT security solution and there isn't one."

IoT integrates with all aspects of security -- cybersecurity, physical security, and operational technology security, Pace said. So, business leaders must think about it in terms of a whole security ecosystem.

SEE: The rise of industrial IoT (ZDNet special report) | Download the report as a PDF (TechRepublic)

Because of the multiple layers involved with IoT security, it's also important to plan for unexpected challenges, Maxim said. "This means conducting risk assessments, simulating IoT-specific breaches, and building playbooks that prepare the organization to respond effectively but still maintain a positive customer experience," he said.

It's also key to remember that security pros are human, and can't possibly predict every threat against their IoT deployment, Maxim warned. Instead, "security teams need to forecast and document the most probable, highest-impact IoT security scenarios," Maxim said. This will help them be best prepared for a potential breach.

The hardware

IoT hardware security is very vertical-centric, Pace said. IT leaders in any market must consider the physical security of the device as well as its software, but one aspect is pertinent across all: The devices must be patchable.

"If you cannot patch those devices, that's where you become heavily at risk," Pace said.

Many legacy devices, like the CCTV cameras and baby monitors attacked by the Mirai botnet, had no means of pushing a security patch. Manufacturers are now thinking more about patchability, Pace said, but older devices should be given extra caution.

IoT security starts at the device purchasing decision, according to Patrick Daly, an associate analyst at 451 Research. At this point, a company must be able to determine if the device has the memory and compute necessary to support extra security. "If the answer is no, the company needs to weigh whether it still wants to move forward in deploying the device," Daly said.

Other red flags are the use of unchangeable, hard-coded passwords, and devices that cannot be updated over the air (OTA), Daly said. Strong authentication and encrypted communications are also key. "However, some devices are so resource-constrained that introducing encryption or cryptographic authentication would have a noticeable impact on performance," Daly said.

Additionally, enterprises should build visibility into their security strategy so that they have a clear view of the devices in their network, along with their "typical communication patterns," Daly said. This kind of information can help when inventorying devices or determining dangerous device behavior.

The data

Perhaps the most valuable result of an IoT deployment is the data collected, but if it isn't protected, it can't be used. Maxim recommends focusing security efforts on analytics, and not just the collection of data.

"IoT significantly increases the amount of available security-related data such as authentication and data usage," Maxim said. "While managing and collecting this scale of data can be challenging, it's an excellent intelligence source that will help identify potential IoT security events and allow your organization to respond quickly to new attacks."

When thinking about data, IT leaders and business executives must put their customer privacy concerns on par with their own. Many IoT devices can capture highly personal data, which can make its way to cloud-based systems and become difficult to assess, Maxim said.

"The scale and distributed nature of the IoT device data increases the risk of data misuse, whether inadvertent or malicious," Maxim said. "With new data privacy regulations such as GDPR coming in force next month, CISOs need to understand if the IoT device's data collection and use are consistent with all relevant legal, regulatory, and compliance requirements."

Compliance, overall, is one of the most difficult aspects of an IoT security strategy. "The landscape is so complex because there isn't a global standard," Pace said.

To determine what regulations apply to your IoT data, Pace said business leaders must understand the following three things:

  1. What data is being collected
  2. How that data is processed
  3. Where that data is stored

Understanding these three factors helps build the groundwork for a compliance strategy, Pace said. The organization can then work with its own legal team, or partner with someone in the region where they are operating to fully build it out.

Also see

Image: iStockphoto/artisteer
Editorial standards