Plan on more than one player to deliver an IoT security solution for the business scenario. You may actually use several providers for the delivery of effective security, ranging from cloud security access brokers to secure segmentation services, from encryption to scalable key management.
Your IoT network may ‘talk’ directly to a cloud service, so you may be working with several solutions and/or providers in the intermediary level of your architecture to assure that the communications is secure and the data integrity from IoT data is intact.
Remember: some of the business scenarios may involve levels of industrial or commercial engineering in their business scenarios, so you cannot think entirely like an IT security person, but as an IT/OT engineering person.
Don’t fall into the trap of believing that the only way we can deliver solutions for a business scenario is to do it using IT formats and protocols - just because you have a hammer everything is NOT a nail.
There will be some compromises about how ‘low-intelligence’ IoT devices work. Follow the intelligence within an edge-to-core business scenario. It will provide insight from a risk and feasibility perspective where you can reliably deploy the kind of security controls that are necessary.
Be prepared to customise a solution for a security product or service that does not yet exist.
This means that if your risk assessment leads you to believe that there are critical points at the edge level or intermediary level that need to have security controls applied and you cannot find a vendor or service provider to deliver the ability to deploy, monitor and/or enforce those controls, you may need to get creative.
When you reach that point, ensure that you research the markets well enough to know the difference between a developer/integrator that can create secure environments vs. one that knows how to code but can’t secure code, data or infrastructure if their lives depended on it.
It will involve doing your homework well and consulting several sources before you make a final decision.
Securing the Internet of Things IS possible, but during this first generation of IoT security you must expect to have missteps and learning moments.
We believe that this market will assume better definition and have clearer distinctions from IT and OT security within the next two years, but in the meantime expect IoT security to look much like IT security plus some unusual or unique additions.
Keep in mind the simple architectural levels I outlined above and make decisions about risk and feasibility based upon not only the available of solutions for those levels but the seams between them.
As IT security practitioners, be prepared to meet and work closely with your engineering counterparts in industry that have dealt with OT systems, systems that look very much like the technology in IoT scenarios being deployed today.
This will become more frequent as time goes on.
Don’t despair - it is getting better daily and there ARE ways to secure your IoT-infused business scenarios.
It’s time to stop admiring the problem and get to work.
By Earl Perkins - Research Vice President, Gartner