{"id":11869,"date":"2016-08-23T21:38:37","date_gmt":"2016-08-23T21:38:37","guid":{"rendered":"http:\/\/timoelliott.com\/blog\/?p=7980"},"modified":"2016-08-23T21:38:37","modified_gmt":"2016-08-23T21:38:37","slug":"four-key-steps-for-enterprise-iot-security","status":"publish","type":"post","link":"https:\/\/timoelliott.com\/blog\/2016\/08\/four-key-steps-for-enterprise-iot-security.html","title":{"rendered":"Four Key Steps For Enterprise IoT Security"},"content":{"rendered":"<p>There&#8217;s been a lot of press recently about the problems of IoT security: easily hackable <a href=\"https:\/\/www.techdirt.com\/articles\/20160809\/13113235201\/like-rest-internet-things-most-smart-locks-are-easily-hacked.shtml\" target=\"_blank\">smart locks<\/a>, as many as\u00a0<a href=\"https:\/\/www.wired.com\/2016\/08\/oh-good-new-hack-can-unlock-100-million-volkswagens\/\" target=\"_blank\">100M Volkswagens<\/a> at risk, vulnerable <a href=\"https:\/\/community.rapid7.com\/community\/infosec\/blog\/2016\/07\/26\/r7-2016-10-multiple-osram-sylvania-osram-lightify-vulnerabilities-cve-2016-5051-through-5059\" target=\"_blank\">light bulbs<\/a>, and even\u00a0sex toys <a href=\"http:\/\/motherboard.vice.com\/read\/dildo-data-hacking\" target=\"_blank\">that spy on you<\/a>.<\/p>\n<p>Here are some key concepts for the future of IoT security in the enterprise:<\/p>\n<h3>First, IoT is going to save a lot of lives<\/h3>\n<p class=\"p1\">It&#8217;s\u00a0worth pointing out up front that the most direct result of IoT is\u00a0much\u00a0better\u00a0<i>physical<\/i> security. Cheap, easy-to-install sensors means fewer surveillance vulnerabilities in critical infrastructure.<\/p>\n<p>For example, <a href=\"https:\/\/gooee.com\/\" target=\"_blank\">Gooee<\/a> provides intelligent sensors integrated with lighting systems to monitor activity, temperature, and more. When people break in, or there&#8217;s a fire, or an earthquake is on its way, IoT means we\u00a0can take action faster, saving assets and lives.<\/p>\n<p>For example, as part of a <a href=\"http:\/\/go.sap.com\/solution\/industry\/public-sector\/future-cities.html\" target=\"_blank\">Smart Cities<\/a> initiative, SAP has been working with the city of Buenos Aires\u00a0on\u00a0a centralized city-wide dashboard showing real-time information from more than 700,000 different city assets. This includes flow sensors on the city&#8217;s water systems that proactively alert against\u00a0<a href=\"http:\/\/sapvideo.edgesuite.net\/vod\/2015\/ext\/city-government-of-buenos-aires-flood-prevention-ctv.mp4?campaigncode=CRM-XJ15-TEC-IT_TR05LP\" target=\"_blank\">floods\u00a0that could endanger lives<\/a>.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/gMHU_LCPyDY\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>Almost every potential\u00a0security threat\u00a0can be minimized with the appropriate sensors. For example, gunfire locators can help alert crimes in progress: during the 2003-2004 Ohio highway sniper attacks,\u00a0the FBI <a href=\"https:\/\/en.wikipedia.org\/wiki\/Gunfire_locator\" target=\"_blank\">successfully used a ShotSpotter gunshot location system<\/a> to find the shooter.<\/p>\n<p>So if we&#8217;re\u00a0worried about keeping people\u00a0safe, and detecting toxins slipped\u00a0into the drinking water, then IoT is a great answer.<\/p>\n<h3>But when everything is networked, everything is hackable<\/h3>\n<p>While physical security is improving rapidly, cybersecurity is a big and growing threat. IoT compounds\u00a0all the security problems of traditional networks.\u00a0There are many more potential points of entry, the tradeoff between security and ease-of-use\/cost is more severe, and the devices themselves aren&#8217;t easy to patch when security flaws are discovered.<\/p>\n<p>There&#8217;s no easy solution\u00a0to\u00a0these problems&#8211;the right approach\u00a0is to double down on traditional security measures. Securing connected IoT devices is\u00a0like trying to seal your house against insects. You have to take the usual measures such as\u00a0blocking the biggest cracks and cleaning regularly&#8211;but some bugs are always going to get through.<\/p>\n<p>Companies must continue to\u00a0implement &#8220;basic digital hygiene&#8221;&#8211;the equivalent of locking the door twice and not leaving the keys around. But then they should expect to get\u00a0hacked anyway.<\/p>\n<p>To combat the inevitable hacks, there has to be a multi-layered approach\u00a0to\u00a0security. IoT security is like\u00a0an onion&#8211;the more layers you\u00a0have, the more you&#8217;ll make the hackers cry&#8230;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-7990\" src=\"https:\/\/i0.wp.com\/timoelliott.com\/blog\/wp-content\/uploads\/2016\/08\/iot-security-is-like-an-onion.jpg?resize=608%2C258&#038;ssl=1\" alt=\"iot security is like an onion\" width=\"608\" height=\"258\" \/><\/p>\n<p>Don&#8217;t stint on security investments: get secure\u00a0sensors from reputable companies,\u00a0use isolated systems wherever possible, minimize data traffic and storage, use effective trusted certificates, employ tokenization, and adopt end-to-end encryption.<\/p>\n<p>And perhaps most importantly of all: employ people who know\u00a0how to put all this in place, and\u00a0work with organizations that understand enterprise security and <a href=\"http:\/\/go.sap.com\/corporate\/en\/company\/security.html\" target=\"_blank\">have been doing it a long time<\/a>.<\/p>\n<h3>The future is about algorithmic security<\/h3>\n<p>New technology brings new opportunities&#8211;it&#8217;s time to take advantage of Big Data technology to improve IoT security.<\/p>\n<p>Simple security is when an alarm is triggered and a guard intervenes.\u00a0More complex security is more context-aware. For example,\u00a0an alarm is\u00a0triggered when the\u00a0same personnel badge has been used simultaneously in two different electrical power stations. Or a badge has been used by somebody who is supposed to be on holiday.<\/p>\n<p>This kind of security requires real-time access to enterprise systems to augment the sensor data. For example, <a href=\"http:\/\/www.alertenterprise.com\/products-EnterpriseSentry.php\" target=\"_blank\">AlertEnterprise<\/a>, part of the <a href=\"http:\/\/startupfocus.saphana.com\/\" target=\"_blank\">SAP Startup program<\/a>, uses the power of the <a href=\"http:\/\/saphana.com\">SAP HANA<\/a> in-memory platform to provide real-time security analysis, awareness, and prediction:<\/p>\n<blockquote><p>&#8220;Attacks\u00a0are getting more frequent and more damaging. Key pieces of information lie in different systems and by the time the security teams piece together the puzzle, it&#8217;s too late.\u00a0Enterprise Sentry consolidates critical information from underlying security tools and combines it with operational information to deliver a real view of what\u2019s happening right now.&#8221;<\/p><\/blockquote>\n<p>Algorithmic security is the next level, and involves using Big Data analysis techniques on the millions of data points that can be collected from, say, an airport&#8217;s IT systems: door sensors, employee badges, flight rosters, cleaning schedules, luggage systems and more.<\/p>\n<p>Using predictive algorithms, the system can learn what a &#8220;normal&#8221; day at the airport looks\u00a0like, and then sound the alert whenever conditions differ\u00a0from\u00a0the expected\u00a0pattern. \u00a0These are the kinds of techniques that are already used to detect suspicious financial transactions using\u00a0<a href=\"http:\/\/go.sap.com\/product\/analytics\/enterprise-compliance\/fraud-management.html\" target=\"_blank\">SAP Fraud Management<\/a><\/p>\n<p>Algorithmic security\u00a0applies to IoT, too.\u00a0There are many different ways systems can be hacked, and real-time anomaly detection is the ideal way of dealing with unknown new threats.<\/p>\n<p>For example, there have been trials\u00a0showing that the traffic lights in major cities\u00a0<a href=\"https:\/\/www.wired.com\/2014\/04\/traffic-lights-hacking\/\" target=\"_blank\">could be manipulated<\/a>, leading to traffic jams and worse. With algorithmic security, these sensor patterns would immediately show up as an highly-unusual and suspicious anomalies.<\/p>\n<h3>Cybersecurity is about people<\/h3>\n<p>It&#8217;s a clich\u00e9, but that doesn&#8217;t make it any less true: robust cybersecurity is much more about people and processes than technology.<\/p>\n<p>Organizations need to concentrate on the most vulnerable part of any\u00a0network: the people using it. The easiest and most effective way to improve cybersecurity is having the right\u00a0processes and training in place.<\/p>\n<p>Companies need effective\u00a0<a href=\"http:\/\/go.sap.com\/solution\/platform-technology\/analytics\/grc.html\" target=\"_blank\">governance, risk, and compliance<\/a> policies that constantly evaluate and update\u00a0your security. And ongoing training programs:\u00a0systems like <a href=\"https:\/\/www.successfactors.com\/en_us\/solutions\/talent\/learning\/lms.html\" target=\"_blank\">SAP SuccessFactors Learning Management<\/a>\u00a0can ensure that every employee has been certified on the kinds of social engineering that lead to network breaches.<\/p>\n<h3>Further reading<\/h3>\n<ul>\n<li><a href=\"http:\/\/www.digitalistmag.com\/executive-research\/internet-of-things-and-digital-transformation-tale-of-4-industries\">The Internet of Things and Digital Transformation: A Tale of Four Industries<\/a><\/li>\n<li><a href=\"http:\/\/www.ogfj.com\/articles\/print\/volume-13\/issue-8\/features\/time-to-take-cyberattacks-seriously.html\">Time To Take Cyberattacks Seriously<\/a><\/li>\n<li><a href=\"http:\/\/motherboard.vice.com\/blog\/how-iot-can-help-monitor-and-rebuild-aging-infrastructure\">How IoT Can Help Monitor and Rebuild Aging Infrastructure<\/a><\/li>\n<li><a href=\"http:\/\/www.macworld.com\/article\/3067392\/internet-of-things\/security-of-public-infrastructure-in-the-age-of-iot-and-ransomware.html\">Security of Public Infrastructure in the Age of IoT and Ransomware<\/a><\/li>\n<li><a href=\"https:\/\/www.element14.com\/community\/groups\/internet-of-things\/blog\/2015\/04\/27\/hacking-infrastructure-how-a-lack-of-iot-security-could-endanger-public-safety\">Hacking Infrastructure: How a Lack of IoT Security Could Endanger Public Safety<\/a><\/li>\n<li><a href=\"http:\/\/www.digitalistmag.com\/digital-economy\/digital-futures\/2015\/09\/10\/cyber-insecurity-digital-economys-fatal-flaw-03425208\">Cyber Insecurity: Trying to Waterproof a Sieve<\/a><\/li>\n<\/ul>\n<ul>\n<li><a href=\"\u2022%09https:\/dam.sap.com\/mac\/preview\/a\/67\/JgAmlyyHSyJgOPXmEuAPnyUrXySyO7xHgEgXOOHlxxOmPESC\/sap_digitalfutures_no07_011116.htm\">Executive Brief: Cyber Security \u2013 Protecting a Hackable World<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There&#8217;s been a lot of press recently about the problems of IoT security &#8212; what should organizations do about it? <\/p>\n","protected":false},"author":2,"featured_media":12791,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[14],"tags":[90,100,160,173,204,391,544,628,633,956],"class_list":["post-11869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-thoughts","tag-algorithmic-security","tag-analytics","tag-bi","tag-big-data","tag-business-intelligence","tag-digitalist","tag-grc","tag-internet-of-things","tag-iot","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/timoelliott.com\/blog\/wp-content\/uploads\/2016\/08\/iot-security-is-like-an-onion-608x258-5.jpg?fit=608%2C258&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p3X9RF-35r","_links":{"self":[{"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/posts\/11869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/comments?post=11869"}],"version-history":[{"count":0,"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/posts\/11869\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/media\/12791"}],"wp:attachment":[{"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/media?parent=11869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/categories?post=11869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/timoelliott.com\/blog\/wp-json\/wp\/v2\/tags?post=11869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}