securing the internet of (every)things the internet... · the opinions expressed herein are subject...

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

Earl Perkins

Securing the Internet of (Every)Things

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Let's Get the Big Story Out of the Way Right Now

WE'RE ALL GOING TO DIE

... but Probably Not From Cyber Security Compromise


It's Not the End of the World as We Know It, but It IS Serious

Welcome to a world of "continuous compromise"

Cyber

Security

Cyber threats are growing

Incidents drive government, industry

to respond

IT adoption spreads IT security issues

Cyber security has unique

requirements

Cyber security requires cultural

change


Key Issues

1. What is cyber security and its role in the IoT?

2. What are the cyber security threats that the IoT faces?

3. How can enterprises using the IoT secure it?


Risk, Challenges, and Gaps

"No one can build his security upon the nobleness of another person." — Willa Cather

Agent Profile Targeted Assets

Industrial or critical infrastructure espionage

"Mercenaries" hired to target specific industries

IP, financial, production info., plans, strategies

Foreign intelligence services/nation-states

State sponsored, paramilitary, intelligence

National/Industrial plans, secrets, strategies, sabotage

Organized crime Syndicates, gangs engaged in chip-based fraud

Personal ID info., banking info., fraud, ID theft

Activists, "hacktivists," terrorists

Ideological, hired "mercenaries" Industrial sabotage, planning, strategic secrets

Professional "bot herders," phishers, spammers

Malware wholesalers, rent to other threat agents Attract users, compromise user devices, harvest email

Gain device control, repurpose, rent, sell processing, fraud, ID theft, industrial espionage

The accidental threat The uninformed employee or partner with access to systems

Software maintenance or upgrade, operational errors

Regulatory uncertainty Government regulation run rampant

Business decisions and performance


What Is Cyber Security and Where Does It Fit in the Internet of Things?

• Originally used in military and government, when used in the context of IT, for both offensive and defensive capabilities.

• Commercial markets began using term for operational technology (OT) security in industries such as manufacturing and utilities.

• Marketing gradually adopted as a new label for information, IT, and OT security.

• "Cyber security" is not a new concept or idea, but a convergence of offensive and defensive security.

OT Security

Information Security

IT Security

"Cyber Security"

"Offensive"

Security

Physical

Security


Hype Cycle for the Internet of Things

Innovation Trigger

Peak of

Inflated Expectations

Trough of Disillusionment

Slope of Enlightenment Plateau of

Productivity

time

expectations

Plateau will be reached in:

less than 2 years 2 to 5 years 5 to 10 years more than 10 years

obsolete

before plateau

As of July 2013

Smart Dust

Operational Intelligence Platforms

802.11ah

Quantified Self

Decisions and Recommendations as a Service

Autonomous Vehicles Data Science

IT/OT Integration

Silicon Anode Batteries

Context Delivery Architecture

Big Data

Home Energy Management/ Consumer Energy Management

Low-Cost Development Boards Smart Fabrics

Wireless Power

Bluetooth 4.0 Enterprise Information Architecture Facilities Energy Management Raspberry Pi Smart Appliances

Complex-Event Processing

Home-Area Network

Broadband-Connected Televisions Operational Technology Security

Z-Wave

Telematics Machine-to-Machine Communication Services Operational Technology Platform Convergence

Mesh Networks: Sensor

Advanced Metering Infrastructure

Enterprise Manufacturing

Intelligence Vehicle-to-Infrastructure

Communications

IPv6 ISA-95 Integration Standards Vehicle-to-Vehicle Communications

RFID for Logistics and Transportation

6LoWPAN

Public Telematics and ITS

802.15.4/ZigBee

RF MCU

Consumer Telematics

Wireless Healthcare Asset Management

Commercial Telematics DASH7 Internet of Things

Smart City Framework, China Smart Transportation

Mobile Health Monitoring

Source: From "Hype Cycle for the Internet of Things, 2013," 31 July 2013, G00252763


Operational Technology (OT) Plays a Big Part in the Internet of Things

OT is hardware and software that detects or causes a change of state, through the direct monitoring and/or control of physical devices, processes, and events in the enterprise.

Virtually every mobile asset today has data collection capability. Whether continuously fed to the EAM application or via batch upload, performance data is being used for predictive maintenance.

The typical plant has thousands of devices with some degree of embedded intelligence used for real-time performance monitoring.

From vibration sensors to bearings with Bluetooth to

microprocessor-based engine controls, even mobile

equipment is now IT dependent.


OT Security is the foundation of the IoT

Industrial Control Systems (ICS)

Process

Control

Systems

(PCS)

Distributed

Control

Systems

(DCS)

Supervisory Control

and Data Acquisition

(SCADA)

Systems

OT Security

IT Security Systems

Physical Security Systems

The practice and technology used to protect information, processes, and assets associated with systems monitoring and/or controlling physical devices, processes,

and events that initiate state changes in enterprise operational systems.


You Have Been Invaded!

9


Is IT, OT, and "PT" Convergence Necessary?

OT IT

Physical

"Today":

IT

Physical

"Tomorrow":

OT

- Silo organization - Proprietary systems - Culture differences

- Common governance - Standard systems - Cultures leveraged


The Internet of Things: It Is Already Here

Cameras and microphones widely deployed Everything

has a URL

Remote sensing of objects and environment

New routes to market via intelligent objects

Content and services via connected products

Augmented reality

Situational decision support

Building and infrastructure management

Over 50% of Internet connections are things:

2011: 15+ billion permanent, 50+ billion intermittent

2020: 30+ billion permanent, >200 billion intermittent

Audio

GPRS Wi-Fi NFC

Higher resolution display

LTE

Flash


Many Types of "Things" and Many IoT Architectures

Smart autonomous

"things"

Controllable

sensing "things"

Communicating/

Sensing "things"

Identifiable "things"

Many "things" will exploit cloud architectures to communicate with people and endpoints

Humans are both IoT nodes and endpoints


IOT Business Examples Controllable Things & Ensembles

What if we could monitor and control equipment remotely?

• Diagnose/correct problems and improve

customer service/reduce service costs.

• Utility smart metering plus demand

management to control consumption.

Improves consumer service, regulatory

compliance and the environment.

• Sifteo, intelligent "cubes" for games and

education. Building cube app ecosystem.

• Automotive tracking and diagnostics.

• Remote home management, monitoring

& security e.g., using Zwave.

How can we use collections of

sensing/controllable objects to provide a

new service?

• Parking bay sensors plus mobile

apps enable dynamic pricing,

reduce congestion, e.g., SFPark.

• Intelligent transportation, combine

traffic sensors, intelligent signage.

Reduce congestion and pollution.

• Precision agriculture plus

selective irrigation, reduces

cost/improve yields.


Who's Exploiting The Internet of Things and Who Should Investigate It?

Industry examples: • Utilities, e.g., smart grid,

infrastructure monitoring

• Transportation & logistics, e.g., for

track & trace, route optimization

• Healthcare, on-body monitoring

• Security/insurance — asset

monitoring, communications

• Advertising, knowledge of

product/technology usage drives

adverts on a different channel

Business Situations: • Stored assets where monitoring and

replenishment increases revenue

• Expensive information shadows,

e.g., supply chain for fresh produce

• Complex equipment, monitoring can

reduce maintenance or support

• Critical infrastructure or equipment

needing prompt diagnosis and repair

• Convert "pay to own" to "pay to use"

• Sensing replaces manual labor

• Sensing enables new features

• Convert products into relationships


IoT Will Pose Technical, Commercial, and Social Challenges

Security E.g., OTA updates,

hacking smart meters, authenticating data

Software Architectures IoT middleware, distributed databases and

processing, programming to minimize rf usage

Interoperability and Fragmentation

E.g., O/S, programs, protocol stacks, tools ...

Tools E.g., debugging distributed algorithms in sensor networks

Future Proofing Decade-long life span, retirement of technologies such as 2G

Deployment Commissioning a large

number of sensor nodes

Hype and Immaturity Of technologies

and vendors

Privacy Risks of sensing "things"


Is “Entity” Management Necessary in the IoT?

Identity &

Access

Mgmt

Asset Mgmt

Mobile Device

Mgmt ? ?

Is the concept of “identity” expandable?


Adopt a Strategy of IT/OT Convergence, Alignment, and Integration

Information Technology

Operational Technology


Can These Security Pillars and Foundations Be (Re)used for OT and the IoT?

Interaction Integration Correlation Context

Awareness

Detect Protect Prevent Remediate A

pp

lica

tio

n S

ecu

rity

Ide

ntity

& A

cce

ss

Endpoin

t P

rote

ction

Da

ta S

ecu

rity

Netw

ork

Security

Infrastructure Protection

Governance, Risk and Compliance Management

Intelligent Security and Risk Decisions and Actions


CIOs Must Embrace OT as representative of the Internet of Things

Factors driving this prediction:

• By 2015, unified oversight of all Internet-connected technologies will become a widespread business imperative.

• By 2015, context-aware information management will characterize leading enterprises.

• Leading CIOs are developing leadership roles enterprisewide across all technologies.

• Accelerating convergence of Internet-connected technologies.

• Credible, high-performing CIOs are the natural choice for the role.

Factors against this prediction:

• Fewer than 30% of CIOs are responsible for all enterprise technologies in 2011.

• CIOs who focus mainly on technology issues and service delivery lack the necessary vision.

• Many IT organizations lack strategic business skills and credibility in non-IT technology.

• Enterprise power structures, politics, and personalities may inhibit unified oversight.

• Credible non-CIO individuals may have greater authority.

By 2015, in more than 70% of enterprises, a single executive — a new-

style CIO — will oversee all Internet-connected entities.


Recommendations

Educate your enterprise on the taxonomy of cyber security and the Internet of Things to engineering and business

Evaluate security solutions and services based on their ability to handle cyber security vs. particular subsets

For enterprises with significant OT assets, begin the process of IT/OT convergence planning where needed

Assess current security programs and solutions to ensure possible mobile and IoT implications are identified

Monitor industry progress in converging technologies that expand security’s remit to include relationships and objects


Recommended Gartner Research

The Internet of Things Is Moving to the Mainstream Hung LeHong and others (G00247190)

The Impact of Critical Infrastructure Protection Standards on Security Earl Perkins (G00230036)

Agenda Overview for Operational Technology Alignment With IT, 2013 Kristian Steenstrup (G00245721)

Predicts 2013: IT and OT Alignment Has Risks and Opportunities Kristian Steenstrup and others (G00245299)

Cool Vendors in IT/OT Alignment and Integration, 2013 Kristian Steenstrup and others (G00246893)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/2300116?ref=QuickSearch&sthkw=G00247190













securing the internet of (every)things the internet... · the opinions expressed herein are subject...

Documents