As more Internet of Things (IoT) systems come online across a range of industries, processes that are normally carried out with some level of manual oversight will increasingly be automated. While this will bring fantastic new capabilities and efficiencies, there are many potential impacts on the security of systems and networks that need to be better understood.
Each of the individual sensors and data transmission systems deployed to form an IoT-enabled system needs to be effectively secured. This is true whether they are used in a limited in-house capacity or are interfacing to multiple external business networks of partners, suppliers and customers. And these challenges will only grow as the size of networks increases.
In some areas of manufacturing these issues are being faced on a huge scale already. As explained in this interview with the researcher who actually coined the term Internet of Things; “There’s a billion more RFID tags made in the world than smartphones every year” and the systems that read and transmit their data all need monitoring. The scale and capabilities of these networks are demanding innovative approaches to this challenge that can be managed with limited manual oversight; automating IoT security.
In addition, while IoT deployment increases the number of nodes on the network it also results in the introduction of new kinds of device at those nodes. All of these nodes can feature vulnerabilities that are different in nature to those currently protected against. Managing the identities of these connected machines will involve monitoring and verifying the access of each to collected data, potentially in real-time, as well as understanding the full life cycle of the product itself.
IoT devices can often leave the factory with many vulnerabilities already present and with little or no provision made for updates or obsolescence. Products often have short life spans and are accessed by multiple users through many different security protocols simultaneously. Mitigating these potential issues will require dedicated experience.
Adoption of IoT technologies requires new approaches to typical business problems and processes, and this can often require access to skills outside of many companies’ core areas of expertise. As an example, Microsoft has been establishing itself as an important stakeholder in the IoT industry for a number of years now. In 2017 the company launched a new ‘IoT-as-a-service’ programme designed to help companies without enough relevant in-house capability to deploy new systems.
Building on this experience, the firm has also developed a range of automated security solutions. These include an automatic IoT device discovery capability that detects, identifies and registers new assets added to its managed networks. Additional developments also include automated security assessment and configuration of connected servers.
With each new connected device representing a potential attack vector, security solutions that can efficiently find, assess and monitor all assets on the network in this way are essential. And this approach should extend to machine identities and security tokens.
Industrial IoT networks are widely distributed over different organisations and geographies, so network disruptions can have far-reaching effects. Reducing the risk of such effects demands a sophisticated and comprehensive approach to managing identities and tokens which can deal with all of the risks they present.
Ensuring secure identity management at the volumes needed is no easy task, but it is a good business decision. Automated processes only work if the users trust the systems managing their security. They need to know that data exchanged is accurate and protected, and that interfacing permissions and communication is being monitored and recorded (with relevant anonymities in place).
The payments industry has demonstrated many ways of addressing these issues, as trust in this setting is arguably more important than any. But in addition to solutions that payment providers have developed, companies deploying IoT devices that work with external partners need to control a wider variety of information, and this can also include aspects of intellectual property (IP).
Access to data needs to be controlled and managed at a device-level to ensure that only the relevant details are passed on. This control protects both the client’s IP and their suppliers' networks. In this way, a commitment to security is also a commitment to trust, and this can help companies win new business in this growing area.
It’s no secret that IoT technology has huge potential. In fact, the McKinsey Global Institute predicts that it could have an economic impact of $3.9 trillion to $11.1 trillion a year by 2025. As IoT technologies continue to mature and be deployed in applications beyond industrial supply chains, more new markets will open up.
Faced with this opportunity many companies are fully aware of the need to acquire and enhance security. A recent analyst report by ABI Research details that vendors are increasingly investing in IoT device management and encryption, with the numbers set to grow significantly over the next few years.
Companies that take security seriously and are prepared to do the work to build automated machine identity management systems that can manage it will be able to demonstrate a strategic advantage in this emerging area. And this will lead both to new business and a firmer foundation for scaling and extending the capabilities that IoT brings to other parts of the company's operations.