An IoT deployment brings security concerns

January 26, 2016

An IoT deployment brings security concerns

CIOs around the globe are now embracing the Internet of Things (IoT) and are trying to determine how they'll manage and control its deployment. For ma...

CIOs around the globe are now embracing the Internet of Things (IoT) and are trying to determine how they’ll manage and control its deployment. For many, this will be the first time they’ll have to actively manage such embedded devices across their networks. Indeed, for some it will be the first time the walls of their datacenter have extended beyond the web portals used for customer services and other customer-facing engagement.

In the past, the growth of access to corporate IT systems and networks has been through the addition of people. Usually the sort of integration necessary, the likes of which we have recently seen as consolidation in the financial and banking sector, requires large project management teams, user-interface experts, consultants, and integration specialists for a year or more. At the most basic level, these systems serve intelligence for humans sitting behind fairly powerful compute engines.

Imagine the CIO now faced with a similar scenario. But rather than singe individuals, they are comprised of many thousands of IoT sensors, actuators and gateways. Faced with almost overnight connecting, and needing to control, say, 10,000 new “users’” you can image the list of concerns running through the CIO’s mind.

Naturally, and rightly, the first concern is security, both of the devices and the access to the data created by these devices. Sitting at the far end of the corporate network’s reach, and potentially in remote locations, the army of IoT devices needs a strict regime of security applied to them. Protecting from attempts to attack the current firmware, eavesdrop on the data being sent, or creating a man-in-the-middle attack to change data being sent are all potential threats. To simplify life for their customers, IoT device makers will deploy an over-the-air approach to updating firmware and configuration data so that truck-rolls are kept to an absolute minimum. However, this approach could open up other attack routes unless carefully reviewed.

The second security consideration, protecting access to the IoT data, is equally complex. A number of service providers could all want access to the data generated. For example, the industrial robots within a company’s factory might be provided on a pay-as-you-go basis, where the robot manufacturer could be asking for access to the data generated. This data would more often be intertwined with critical production data that can’t be shared externally. Also, it’s unlikely there’s just one factory site; factories will be modeled as a virtual network of multiple factories.

The consequences and considerations for the firewall rules alone could be extremely complex. Firewall rules might need to be considerably changed (and they may not scale), and the appliances themselves may no longer be suitable. There are a wide range of considerations for this topic alone. The need to establish domains of trust and how to actively control them are paramount. Clearly, dealing with growth in devices is more complex than a growth in people. People are typically pigeon-holed into default security profiles set up by job function and seniority. IoT devices and access to the data requires a whole different approach.

This brings us to the second consideration for the CIO, data ownership, which is becoming a big concern. The correlation between IoT data generated and commercial value is very close. As many tradition capital-intensive equipment makers and other service providers are embracing the IoT, so are the companies that use their services. The basic premise is that the data generated makes their business more effective, efficient and agile; together they represent significant commercial value. Needless to say, access to it will be vital.

But who owns the data? Take the example of an industrial robot. When a manufacturer purchases the robot, a service maintenance agreement will likely be signed at the same time. It’s also likely that the maintenance company, while still owned by the robot manufacturer’s parent company, will be a separate company. In this scenario you have the robot maker, the service company, and the owner all having access to the robot and the data it generates. This data is needed by the each party to efficiency run their business. The robot manufacturer will be interested in robot utilization and operational data, the service company will be concerned about key operating parameters, wear, and reliability, while the owner will want to analyze factory automation efficiency and model future capability. The data ownership boundaries blur even more if the robot manufacturer is providing the robot as an on-demand service.

The third concern has to do with infrastructure. It’s fair to say that current CIOs have gotten used to utilizing a hybrid cloud model. With such a data storage and application provision model, you typically have your own data center in-house and you’re making good use of public and/or private cloud services such as those offered by Amazon, Google, or Microsoft. Most IT departments have gravitated towards some combination of in-house, or on-premise, or in the public cloud. Even within the public cloud, providers such as Amazon would like to offer you a private area within their own cloud. They provide you with a cloud infrastructure, but you get to manage everything that goes in the cloud. You can create your own virtual firewalls to provision a secure infrastructure.

Now, the question for the CIO is how will your IoT deployment fit into the hybrid data center model? It makes sense to keep the IoT data in the cloud, but does my cloud service have the layers of business continuity and resilience necessary? Perhaps not. It would be best to store the data within my own on-premise data center. But is that scalable enough to meet the anticipated and rapid transaction growth? A well connected infrastructure also makes it vulnerable to system hacks and outages in matter of minutes. Clearly, infrastructure is a key aspect of the overall IoT solution.

There’s no doubt that use of the IoT will bring significant benefits to many organizations. It’s becoming an agent of change and making transformative affects throughout the enterprise. Like all change, it needs to be carefully planned and reviewed for the anticipated benefits to be realized. The CIO is no stranger to change, but the changes that the IoT bring can be demanding.

Dinyar Dastoor is the vice president of product management, overseeing all operating system platforms, technical marketing, and technical publications at Wind River. He brings more than two decades of embedded experience developing devices and systems in automation and process control, networking, aerospace and defense. Dastoor holds an MBA and Master’s degree in control systems.

Dinyar Dastoor, Wind River