Special Feature
Part of a ZDNet Special Feature: Harnessing IoT in the Enterprise

How to secure your IoT deployment in 10 steps

Seemingly every day there's another story about Internet of Things (IoT) devices being compromised or used for large-scale attacks. Here are 10 steps to ensure that your deployment remains secure.

istock-502013062.jpg
Image: iStock/olm26250

In nearly all cases, IoT has become almost too easy. Commodity sensors and radios make it technically simple to slap together a device and put it in the wild. Your average IT administrator would have a heart attack if you left a laptop configured to access your corporate networks, and a password of 'default' in the local coffee shop, yet this is effectively what occurs with many IoT deployments.

FREE DOWNLOAD

Special Report: Harnessing IoT in the Enterprise

You can download all of the articles in this series in one PDF. It's free to registered ZDNet and TechRepublic members.

At the end of the day, you're essentially shipping a tiny computer that presumably has access to your intellectual property. Consider the security implications just as seriously as you would any other connected device. Here are 10 ways to do that.

1. Make security a feature

Perhaps the biggest security risk to an IoT deployment is considering security as an afterthought. Plan for security as you design the features and functionality of your IoT products and services, and you'll address and resolve important technical and product questions early, rather than at the last minute.

2. Don't buy into 'security through obscurity'

I've seen a variety of initiatives where 'security through obscurity' was the prevailing attitude, basically suggesting that the devices in question were deployed in small numbers, or so unappealing to hackers in the context of the connected universe, that security could be largely ignored. This is a recipe for disaster, especially since IoT devices can often access non-public networks, contain personal data, or are connected to critical infrastructure ranging from medical devices, to industrial controls, to devices sitting in our child's bedroom. Your deployment may only be a couple of dozen IoT devices, but that's no excuse to hardcode passwords as 'abc123'.

3. Consider security as cheap insurance

You would probably avoid specifying a component in your IoT device that's known to burst into flames, even if that component saved a few bucks, as it would obviously create significant long-term risks and expensive mitigations ranging from recalls to legal costs. Make a similar calculation with IoT security. There are plenty of real-world examples of the significant costs of poorly planned IoT security that demonstrate that it's often a much cheaper proposition to invest in security during the design phase rather than after your IoT devices are 'in the wild'.

4. Play hacker

During your design process, consider what aspects of your IoT deployment might be of interest to hackers. A connected car would obviously attract people attempting to unlock or remotely start the vehicle, while a connected camera would interest someone attempting to view video and photos. Consider in your planning that IoT devices are essentially tiny computers. If a hacker could gain access to one of your IoT devices would he or she have access to a secured network? Could he or she marshal the resources of thousands of your devices to launch a Denial of Service attack?Might a compromised device reveal aspects of your product or intellectual property? With an understanding of what's at stake, you can better plan your mitigation.

5. Go for the minimum

It's always tempting to gather and record as much data as possible. With cheap sensors, it's easy to capture more than you intend to use. However, the more data your IoT device collects, the higher the stakes should the device be compromised. Just because you can capture information doesn't mean you should.

6. Check all your components

Perhaps you've built a bulletproof application, tested it extensively, and closed all the likely attack vectors. That's all well and good, but if your IoT device runs a dated OS riddled with well-known vulnerabilities, all your work may be for naught. Again, consider your IoT device as a tiny computer, where security could be compromised at the network, OS, or application layer. Furthermore, those libraries and toolkits that sped your development along could also introduce their own vulnerabilities that must be monitored and mitigated.

7. Provide an update capability (as long as it doesn't present a backdoor)

No-one can develop a completely secure system, especially one that's connected to a public network, and invariably new risks will be identified long after your product is released. Therefore, build an update capability into your product that allows you to push security updates as necessary, and depending on the IoT application, without manual intervention at the device. Be sure to consider the security risks of this capability as well. Done poorly, an update capability is the perfect opportunity for nefarious actors to take over your devices.

8. Use the right hardware

Ideally, your IoT platform will embed security into the physical hardware, with everything from tamper-resistant packaging to trusted platform modules that incorporate security in the silicon. Where this is not possible due to cost or technical limitation, vet the vendors of your core components and look at their track record of responding to security incidents. If a problem is identified in a core hardware component, can you mitigate it through application code or firmware updates? If not, how is the burden of physical updates handled?

9. Map your system, end to end

IoT security doesn't end at the device, and you should consider the backed platforms and applications that connect with your devices as part of your overall security planning. Map out every system, the underlying OS and hardware, and versions of each. Ideally, you'll already have this level of diligence and supporting infrastructure in place, and if not, consider it a cost of entering the IoT space. Regularly track vulnerabilities to this 'IoT inventory' and mitigate accordingly.

10. Perform some 'IoT estate planning'

No one likes to think about their demise, but even in the realm of IoT devices you should consider what happens to these devices when the product or deployment reaches its end of life. Too many companies think that sending an email or two notifying customers that their devices are no longer supported is the perfect excuse to stop monitoring and updating them. Communicate with your customers what happens when the product reaches the end of its lifecycle, or your company discontinues support of the product. You may even consider disabling devices that are no longer supported, or requiring users to explicitly 'reactivate' the device in an unsupported mode with full awareness of the security implications. Reading up on the difficulties Microsoft had discontinuing Windows XP should provide some measure of awareness before you release your 100-million device product upon the world.

Join Discussion

0 comments
18 people following
Show Comments

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All

More Resources

Part of a ZDNet Special Feature: Harnessing IoT in the Enterprise

Internet of Things in the enterprise: The state of play

The Internet of Things can be a major driver of digital transformation, enabling new business models based on widespread devices and new data streams--if you can cope with the immature ecosystems.

ent-iot-header.jpg
Image: Getty Images/iStockphoto

For enterprises, the Internet of Things (IoT) currently represents something of a double-edged sword. On the one hand there are manifold opportunities to boost the efficiency of products and services, create new revenue streams and reduce operational costs by connecting all manner of devices ('things') to the internet and analysing the data they generate. On the other hand, this is still an immature market in which architectures, technologies, standards and vendors are all moving targets, making investment a risky business. In particular, security is a major worry when it comes to the IoT.

FREE DOWNLOAD

Special Report: Harnessing IoT in the Enterprise

You can download all of the articles in this series in one PDF. It's free to registered ZDNet and TechRepublic members.

According to Gartner's Nick Jones, the IoT will be a 'long tail' domain, with 'things' ranging from automotive subsystems and security cameras to Bluetooth beacons, smart garments, agricultural crop sensors and many more. In the near term, 'consumerization' will play an important role, and all sorts of smart devices will find their way into businesses, causing headaches for IT managers (say hello to 'Bring Your Own Thing', or BYOT).

Meanwhile, 'official' enterprise IoT deployments will concentrate on a relatively small number of use cases that can deliver demonstrable business value, says Jones. These include predictive maintenance (of HVAC systems, for example), energy saving in smart buildings, automatic replenishment (of anything from fuel tanks to beer kegs), vehicle fleet management and monitoring of assets and people.

Looking further ahead, the IoT clearly has the potential to be a major driver of digital transformation, enabling new business models based on widespread internet-connected devices and the resulting data streams. CIOs will need to keep an eye on such long-term prizes while extracting business value from today's immature -- and therefore somewhat confusing -- IoT ecosystems.

What does today's IoT market look like? In October last year, research/analyst firm Venture Scanner organised the 1,428 IoT startup companies it was tracking into 20 categories. These businesses were spread across 46 countries and had amassed a total of $25 billion in funding (as of January 2017, the numbers had risen to 1,544 IoT startups, 47 countries and $27bn).

In terms of the number of IoT companies there's a clear consumer bias, with Home, Healthcare, Lifestyle and Fitness all making the top five:

ent-iot-venture-scanner-companies3.jpg
Image: ZDNet / Data: Venture Scanner

However, when it comes to average funding levels, the clear leaders are Enterprise with around $78m per company and Utilities/Energy with around $69m per company:

ent-iot-venture-scanner-funding.jpg
Image: Venture Scanner

To get a handle on how enterprises are currently approaching the IoT, analyst firm Machina Research conducted a TIA-commissioned survey in March/April 2016 covering 200 business decision makers in US companies with annual revenues of at least $10 million (average annual revenue was $425m). The main industry sectors represented were manufacturing, banking/finance, technology and healthcare.

The survey confirmed widespread interest in the IoT, with nearly half of companies (48%) already actively using IoT technologies, and a further 43 percent planning or expecting to deploy within two years (i.e. by March/April 2018):

ent-iot-machina-1.jpg
Image: Machine Research/TIA

Naturally, at this stage in the game, companies will have to expend considerable effort to integrate IoT solutions with legacy business systems. According to the Machina/TIA survey, just over three-quarters of companies (76%) will be exclusively or primarily focused on this through 2017, with 60 percent expecting to be so occupied through 2020.

Today's enterprise IoT landscape is a crowded and potentially confusing mix of specialist service providers, enterprise technology companies, cloud providers, telcos and systems integrators. All are in the business of helping companies to integrate IoT devices with traditional enterprise systems via communications channels (usually wireless), gateways and custom IoT software platforms, with analytics and security baked in at multiple levels.

ent-iot-forrester-diagram.jpg
Image: Forrester Research

According to the 2016 Machina/TIA survey, enterprises currently tend to choose systems integrators as trusted IoT partners, followed by 'IoT/M2M end-to-end providers using standardized cellular technologies', business software platform companies and 'IoT/M2M end-to-end providers that use low-cost proprietary networks and technology'. Together, these four categories of IoT solution provider account for three-quarters of the survey population:

ent-iot-machina-2.jpg
Image: Machina Research/TIA

Whatever species of IoT solution provider you are, there's a multitude of technologies to master, some or all of which may be required in any given deployment. Gartner's Nick Jones, for example, highlights IoT device management, low-power short-range and wide-area networks, IoT processors, IoT operating systems, IoT gateways, event stream processing, IoT analytics and data science, IoT platforms and IoT security tools.

No wonder many enterprises are currently content to partner with systems integrators and other third parties. However, as today's fluid and highly fragmented IoT ecosystem consolidates over the next few years, more businesses should gain the experience and confidence to carry out their own in-house IoT implementations. In 2016, only two percent of the Machina/TIA respondents were attempting this.

Several IoT technology areas have multiple contenders to choose from. In low-power short-range wireless networks, for example, there is Zigbee (and other IEEE 802.15.4-based PANs), ZWave, Bluetooth (4 and 5), DASH7, WiFi, NFC and WiGig. Several options are available for low-power wide-area networking too, including proprietary technologies like Sigfox, incumbent 2G/3G cellular networks and NarrowBand IoT (NB-IoT) -- the latter being the likely long-term winner.

Elsewhere, Forrester recently evaluated 11 leading vendors in the IoT platform space (and there are many more out there), namely: AWS IoT; Ayla Agile IoT Platform; Cisco Jasper Control Center; Murano IoT Platform by Exosite; GE Predix; IBM Watson IoT Platform; Xively by LogMeIn IoT Connected Product Management Platform; Microsoft Azure IoT Suite; PTC Thingworx; SAP Hana Cloud Platform IoT Services; and Zebra Technologies' Zatar IoT Cloud Service. The analyst firm identified four 'leaders' based on the strengths of their current offerings and strategic outlook:

ent-iot-forrester-wave.jpg
Image: Forrester Wave: IoT Software Platforms, Q4 2016

IBM's Watson IoT Platform was praised for its advanced functionality (including augmented reality, cognitive capabilities, blockchain, edge analytics, analytics tooling and natural-language processing), strong open-source focus and robust global partner ecosystem.

Thingworx gots kudos for its broad wireless protocol support (short-range and WAN), strong digital twin functionality and wide range of prepackaged applications. PTC's 2015 Vuforia acquisition also gives it class-leading AR capabilities.

GE's Predix focuses on industrial IoT deployments, majoring on remote monitoring, advanced predictive and edge analytics and class-leading digital twin capability.

The fourth of Forrester's 'leaders', Microsoft's Azure IoT Suite, offers preconfigured solutions for predictive maintenance and remote monitoring, drawing on services such as IoT Hub, Notification Hubs, Machine Learning and Stream Analytics. Microsoft's IoT platform also garnered praise for its strong roadmap and global reach.

As we've noted, there are many use cases and business models in the IoT space, and so it's no surprise, at this stage in its evolution, to find multiple standards bodies, consortia and tech industry heavyweights involved in the quest for interoperability.

In February last year, for example, analyst firm IHS published an overview of 'the most influential associations and standards bodies' in the IoT space, and came up with profiles of no fewer than 55 entities, which it grouped into broad use-case categories. These were: Industrial Internet (6); Smart Home (18); Smart City (7); and Cellular/Telecommunications Connectivity (12), plus 12 further technical standards bodies.

These entities include proponents of various protocols and connectors, standards bodies such as the service-layer-focused OneM2M, and industry groups like the AllSeen Alliance (which recently merged with the Open Connectivity Foundation) and the Industrial Internet Consortium. Then there are individual industry heavyweights promoting their own IoT ecosystems -- Apple, Google, Samsung and Amazon in the consumer market, and Cisco, Intel, IBM and others in the business/industrial market.

As in many areas of the IoT, there are undoubtedly shakeouts and consolidations to come in the standards arena -- yet another thing for hard-pressed CIOs to keep an eye on.

Outlook

The IoT genie has escaped the bottle in the consumer space, particularly in the 'smart home' category, and the drawbacks of a rush to market are all too apparent in the security incidents that regularly hit the headlines. CIOs need to take note of these pitfalls, and deploy robust enterprise IoT solutions that not only deliver business value, but are also safe from the attentions of bad actors. That won't be easy in the short term, as they'll be dealing with technologies, standards and ecosystems that are undergoing rapid change. However, the long-term rewards for those who get it right should be well worth the trouble.

Read more on IoT

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All