IoT Comes of Age

IOT is here….

The past 12-18 months has seen a significant buildup in momentum in how individuals (yes!), companies and governments deploy and take advantage of IoT devices.   In my view, it has gone past the point of inflection where considerations of costs, manageability and wide availability of device types held back adoption.   Projections for the future range from "cautiously optimistic" to "wildly optimistic" depending on whether you ask a potential manufacturer, service provider, or consumer of IoT services.   

The objective of this short blog is to summarise the current state of standardisation in IOT industry, and offer some brief policy prescriptions to business leaders.

The trend is also being helped by a progressive fall in cost of IOT sensors as manufacturers ramp up production, and cost-per-unit-of-processing and cost-per-unit-of storage continue to fall.

If summer comes, can winter be that far behind?

 If there was ever a marker for measuring the success of any technology,  prevalence of malware and compromises is surely one of them.   Customers love "cheap-and-easy" as well as a frenetic pace of innovation.  After all, its much easier to write-off 1,000 devices worth $5 each, than to write-off a deployment of 500 devices of $50 each.  This brings together a motivated seller and a willing buyer, and pushes forward nagging consequences of manageability and security for another day and (hopefully) a different IT Manager. And to be sure,  2018-19 has seen IOT compromises go mainstream with serious consequences for individuals and businesses that will take a few years still to fully play out. 

 Is there a standard way to manage security in IoT devices? 

 NIST has recently published the final version of their standard NISTIR 8228 "Considerations for Managing Internet of Things (IOT) Cybersecurity and Privacy Risks .   This gives an internationally accepted framework to deploy secure IoT infrastructure, and demand a minimum level of compliance from equipment vendors and solution providers. A detailed analysis of the entire standard will take a separate blog altogether, but its important to understand the key premises here.  The standard identifies three high-level risk mitigation goals for IOT deployment scenarios

1. Protecting device security-  securing the device, and protecting its integrity should be a prime directive for deployment scenarios.  Right from the days of the Mirai Botnet, repeated compromises of different classes of IOT devices, and IT departments' subsequent struggles to patch and fully mitigate them have demonstrated the futility of deploying insecure devices that can’t be fully managed and protected.  The seductive charm of "cheap and magical" technology is giving way to a sobering realization that eventual costs may far outweigh illusory benefits promised in sales pitches.
2. Protecting data security-  Protecting the confidentiality, integrity and availability of data that is acquired, processed, or merely transmitted through the IOT devices. With the rise of edge computing, and increasingly "thicker" edge devices with more computing resources and storage to even store fully trained models locally,  IOT devices are increasingly being used for deterministic decision making (e.g. triggering suppressors for leakage/ fire,  "allowing" access at boarding gates etc.).  Any compromise of data security can even have unanticipated 2nd order implications (e.g. "poisoning" of acquired data) that may not get detected over a long period of time, but with a potential for mischief no less serious than the first.
3. Protect individuals' privacy-   This is a very apparent, unambiguous and obvious risk mitigation goal that is already backed by a body of legislative instruments around the work (e.g. GDPR) and more are underway across different jurisdictions.  However, there is a very real risk that in the competitive rush to deploy IOT infrastructures, organizations are neither measuring the risks associated with privacy breaches, nor are they pricing those risks into their costs and product/ service pricing models.  There is also an aggravated risk of privacy breaches coming out of the "software supply chain" where you depend on another company to acquire the data on your behalf (e.g. insurance companies depending on personal health monitors like Fitbit to track policyholders' health and tune risk models of impacted cohorts of customers)

What are the implications for CIOs and CISOs?

 In this blog, I want to focus on two big implications for CIOs and CISOs and a set of broad recommendations around them.

1. Change your model for procuring and deploying IOT projects- NOW a.ka. "Its never that cheap" !  Its well past time that organizations acknowledge that deploying a new technology like IOT is like deploying any other technology.  It does not make the real-world consequences of legal jeopardy and fiduciary liabilities go away.  CIOs must ONLY procure solutions that meet, at minimum, the NIST standards, as well leave some headroom for extensibility of use-cases and manageability over a reasonable period of time.  With cheap devices with default, unencrypted passwords, no support for encryption and minimal support beyond an insignificant 9-12 month warranty, you are just deferring costs and liabilities, not avoiding them.     
2. Be honest about costs !  Business leaders should accept the blunt truth that vendors, and teams who desire to build pilot/ POCs often have a perverse incentive to significantly underestimate costs, since leadership often tends to confuse pilots with full deployments, and wary of the costs of the latter, prevent experimentation with the former. Encourage POC teams to experiment with scenarios and use-cases which incorporate manageability and security, and create a culture where deployment projects are "fully costed".  Leaders should also acknowledge that this can only come about through the right "culture" that flows from the top.  
3. Involve legal, security and privacy teams right from the pilot/ proof of concept stage-  This may result in slower pilots, and "apparently" more expensive deployments, but this will only serve to identify the "true cost" of deployments and help amortize it over the life-span of the assets, as opposed to facing nasty surprises 2 years into a roll-out that the organization has fully committed to.  

 Fortunately,  enterprise IOT solutions are maturing fast, as are the public cloud service providers who are now best placed to provide the fabric that orchestrates complex, large-scale IOT deployments across large geographic footprints. And that's another topic for another day…

Citations

• NISTIR 8228 - https://csrc.nist.gov/publications/detail/nistir/8228/final
• CSO Online:  The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet-  https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html
• Hacker Used Raspberry Pi to Steal Sensitive NASA Docs- https://gizmodo.com/hacker-used-raspberry-pi-to-steal-sensitive-nasa-docs-1835802380
• A life insurance company wants to track your fitness data- https://www.vox.com/the-goods/2018/9/20/17883720/fitbit-john-hancock-interactive-life-insurance
• Sophos Labs 2019 Threat Report- https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-2019-threat-report.pdf 
• https://www.statista.com