https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

8 IoT Security Strategies and Advice From Experts

IoT security is a different animal than IT security. Two experts share feedback on how to minimize IoT-related cyber risk. 
  • Written by Brian Buntz
  • 26th November 2019

The expanding attack surface of the Internet of Things opens up dangerous new vistas for adversaries ranging from script kiddies to elite nation-state actors. Complicating matters is a shortage of qualified cybersecurity talent and a confusing bubble of hype around several technologies intended to help organizations safeguard their networks. 

To help you get a handle on the challenge IoT security can pose, we spoke with Sean Peasley, a Deloitte Risk and Financial Advisory partner and IoT security veteran, as well as Andrew Howard, the chief executive officer of Kudelski Security. They weigh in on everything from the cybersecurity skills gap, the challenge of minimizing supply chain risk and the hype surrounding everything from AI to 5G. 

[IoT World is North America’s largest IoT event where strategists, technologists and implementers connect, putting IoT, AI, 5G and Edge into action across industry verticals. Book your ticket now.]

1. Have Realistic Expectations Regarding Cyber Talent 

It’s common knowledge there is a shortage of experienced cybersecurity professionals. But assessments that there is or soon will be a shortfall of millions of cyber workers in a handful of years can engender a degree of hopelessness in organizations seeking to defend their networks, IoT devices and IT systems. 

“This topic [around the cybersecurity skills gap] seems to always be the number one thing people want to talk about with cybersecurity,” Howard said. But discussions on the subject can at times veer off course. While the cyber talent scarcity is real, “frankly, there is a shortage in all markets,” Howard said. The unemployment rate in nations ranging from the U.S. to Germany to Japan to the United Kingdom is less than 4%. Rather than seek to find a cyber MacGuyver, organizations seeking cyber talent should ask which types of professionals can they likely attract in the short term to help them quantifiably reduce their cyber risk. 

In the cybersecurity market, a large degree of the need is for analysts, Howard said. “I think at the top end of the cybersecurity org chart, there’s not a shortage of [experienced] employees,” Howard explained. “You might make an argument that there’s a shortage of qualified employees, but what I see is when companies are not having a hard time finding CISOs or lieutenants. They’re having a hard time finding CISOs or lieutenants they can afford — just because there’s so much demand.” 

2. Make Sure the Candidates You Do Hire Are Well-Qualified and Compensated

It can be wise to embrace nontraditional strategies when buttressing your cyber workforce, but one pitfall is to skimp on qualifications when hiring workers for senior roles. “What I see that is concerning is that, on a consistent basis, I speak with potential clients, who have woefully underskilled cybersecurity leaders in their space,” Howard said.

Yes, the cybersecurity shortage is a contributing factor to this problem. But another element is the lack of understanding by boards and leaders such as chief executive officers and chief information officers in what skills are vital for cyber leaders. “There’s often an under-appreciation for what you have to pay for the type of expertise that is in demand,” Howard said.  

3. Keeping Track of Third-Parties Isn’t Enough for Supply Chain Security 

Last year, Bloomberg published an article titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” The story sparked controversy from Amazon, Apple and Supermicro, all of whom took issue over the reporting of the story. While the facts of the article remain disputed, the piece did draw attention to the threat of supply-chain attacks in general. In general, Deloitte recommends organizations carefully consider the potential security ramifications of third-party software, hardware and services. 

For one thing, there are a growing number of stories indicating threat actors are looking at the supply chain to target their victims. For instance, the European aerospace firm Airbus has been targeted as part of a coordinated attack on its suppliers. Earlier this year, Wired reported on a supply chain attack targeting at least six organizations.  

Large organizations can sometimes have thousands of third-party suppliers, and potentially thousands more fourth- and fifth-parties, Peasley said. While smaller firms tend to have a smaller supplier base, the focus on the supply chain is equally as important. “Whether it’s a supplier that puts a subcomponent into a product that you might build, or whether it’s a software product that you utilize, [organizations] need to think of all the different cyber aspects of the types of data that they use, and the types of things that might be embedded into your environment or your product.” 

4. Aligning IT and OT Teams Is Vital for Cybersecurity, Too

The integration of information technology staff, IT, with operational technology workers, is a perennial theme in many industrial and enterprise IoT contexts. In terms of cybersecurity, the prospect of integrating IT and OT can be daunting because cybersecurity traditionally is the focus of the former camp. Traditionally, securing an OT environment such as a factory or a refinery meant keeping unauthorized personnel out of restricted areas. Now, it includes the prospect of preventing hackers from meddling with systems that could potentially cause a catastrophe. “OT security is in demand right now,” Howard said. 

Similarly, IT security professionals who have landed careers in industrial contexts would be wise to study traditional safety programs inherent in operational technology contexts. Many industrial organizations have had safety programs for decades. Peasley said traditional IT security professionals whose duties extend to operational technology need to have a similar mentality around security,” while carefully considering potential safety ramifications of connected devices in, say, a refinery or factory. 

5. Security Standards Can Help Codify a Secure by Design Mentality

The term “secure by design” gets tossed around frequently these days, but it isn’t always easy to quantify what it means. Peasley recommends looking to standards and regulations for best practices. “Look at the NIST standards, some of the IEEE standards, ISA/IEC 62443,” he said. Those documents include helpful information on designing security into industrial products as well as testing and certifying those products, and coming up with an effective post-market cybersecurity strategy. IoT security involves “a different mindset compared to the enterprise” and the prospect of securing “traditional network devices and infrastructure devices,” he said. For instance, a connected device in an industrial or medical environment will likely need to be up and running 24 hours a day, 365 days a year. “There are often different constraints than in an operational technology environment than you would have in an enterprise environment,” Peasley said. In such cases, standards can help formalize a comprehensive security strategy that stipulates how to train staff ranging from developers to engineers, while routinely assessing the organization’s cybersecurity posture.  

6. Temper Hype around New Technologies with Pragmatism

It’s hard to avoid sweeping statements that technologies ranging from artificial intelligence to the introduction of 5G will have an enormous impact on cybersecurity. 

Howard is dubious about the widespread use of the term artificial intelligence. “My perspective on AI is that there’s way too much hype,” he said. “I struggle with this personally — just being able to differentiate what I would consider artificial intelligence, which is machines making independent decisions based on mathematical models versus just smarter software.” 

That said, there is still value in deploying machine learning to detect anomalies that could indicate a security breach. In the broader IT landscape, the term artificial intelligence for IT operations (AIOps) has become mainstream. Deloitte recommends embracing this strategy and unifying it with a secure by design approach, which spans development and operations (known as DevSecOps). 

In terms of how the rise of 5G might affect IoT security and cybersecurity in general, Howard recommends studying the indication of prior generations of cellular technology to get an indication of the likely future. “It’s my guess that [the debut of 5G] will follow the typical kind of vulnerability curve that you saw with 3G, 4G/LTE, LTE-M, etc.,” he said. In other words, once the standard goes live in the real world, there will be an uptick in inbound attacks. 

Once the high-bandwidth flavor of 5G becomes commonplace, it could lead to a rush to expand the wireless capabilities of many types of IoT devices. “You would be connected to a lot of devices that were never intended to be connected,” Howard said. 

7. Edge Computing Isn’t a Security Cure-All

One of the central marketing pitches for edge computing is its purported benefits in terms of cybersecurity. The underlying logic in that premise is that in pushing computing out as close as possible to where data is generated, it makes it more difficult for an attacker target. While that may be true to a certain extent, there’s a double-edged sword element to that fact. “Often, on the edge, you just don’t have the security controls that you might have back in a more centralized architecture,” Howard said. “I get worried when I hear someone say: ‘I’m going to do everything at the edge.’”  

Analysts such as Gartner don’t see edge computing as representing a pendulum swing away from centralized computing models. Instead, they view it as a complement. From a security perspective, the prospect of commonplace hybrid edge-cloud models heightens the importance of using secure anonymization controls in the metadata that is sent to a cloud or core data center. “When you say ‘edge computing,’ you are basically pulling features out of big data sets, and then sending the features back to the centralized data store,” Howard said. 

In any event, Howard stresses he sees the cloud being a default model for many use cases. “Data storage in the cloud is so inexpensive that, unless you are doing heavy querying, storing in the cloud is probably a reasonable thing to do.” 

8. Automation in Cybersecurity is Also a Threat

There may be significant hype around the subject of artificial intelligence, but, in truth, there is a growing amount of automation in cybersecurity — both in terms of offense and defense. While not exclusively IoT related, one example illustrating this principle is phishing. Prominent OT cybersecurity attacks such as the cyber-induced Ukranian power outage in 2015 had roots in a routine phishing attack. Given the availability of software tools on the dark web to help attackers streamline their campaigns and conduct research on their targets, Howard sees targeted phishing campaigns known as spearphishing getting worse over time. “We hear [about this fact] from clients,” Howard said. “Spearphishing is a lot more believable now.”

Tags: Network security Security services Security Features Internet of Things World 2020 Conference Coverage

Related


  • Image shows welding robotics and a digital manufacturing operation.
    IoT Supply Chain Vulnerability Poses Threat to IIoT Security
    The supply chain provides building blocks for IoT but also vulnerabilities. IT pros need to ward against malicious attacks that exploit supply chain security gaps.
  • IoT Security Needs Pen Testing Approach
    IoT pen testing is a no-brainer, say experts. But don’t test everything.
  • Image shows a digital background depicting innovative technologies in security systems,
    Securing IoT Devices With Zero Trust Requires Mindset Shift
    Zero-trust approaches require a shift in mindset to ensure IoT devices have rigorous security policies applied — and the work is never done, say IT pros.
  • An Integrated Approach to IoT Security
    This e-book provides a comprehensive framework to help organizations reduce risk in IoT products and environments.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Common Internet of Things Security Pitfalls 
  • Can Privacy-Preserving Machine Learning Overcome Data-Sharing Worries?
  • Developing a Critical Infrastructure Cybersecurity Strategy
  • Addressing IoT Security Challenges From the Cloud to the Edge 

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Access a world of opportunity in 2022 with @IoTWorldToday ➡️ Now is time to unlock ROI, by accessing a global com… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

3D Home Printer to Build 72 Residences for National Homebuilder dlvr.it/SQhWSF https://t.co/XJOs70DqzH

19th May 2022
IoTWorldToday, IoTWorldSeries

Microsoft Ramping up Cybersecurity Service Offerings dlvr.it/SQhPR0 https://t.co/nYzaDRnyVY

19th May 2022
IoTWorldToday, IoTWorldSeries

IoT Product Roundup: PTC, Nokia, Arm and More dlvr.it/SQhNNF https://t.co/ZApdw3RHdu

19th May 2022
IoTWorldToday, IoTWorldSeries

Britain’s postal service has plans to run a fleet of autonomous #drones to make rural postal deliveries easier.… twitter.com/i/web/status/1…

19th May 2022
IoTWorldToday, IoTWorldSeries

Britain’s postal service has plans to run a fleet of autonomous #drones to make rural postal deliveries easier.… twitter.com/i/web/status/1…

19th May 2022
IoTWorldToday, IoTWorldSeries

Tesla Plans ‘Many Cool Updates’ at Annual Event dlvr.it/SQhLLP https://t.co/kgSTGBrYrG

19th May 2022
IoTWorldToday, IoTWorldSeries

@JohnDeere’s acquisition of #AI startup Light continues to advance its roadmap toward @autonomous farming.iotworldtoday.com/2022/05/19/joh…

19th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X