securing the internet of (every)things the internet... · the opinions expressed herein are subject...
TRANSCRIPT
![Page 1: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/1.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Earl Perkins
Securing the Internet of (Every)Things
![Page 2: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/2.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Let's Get the Big Story Out of the Way Right Now
WE'RE ALL GOING TO DIE
... but Probably Not From Cyber Security Compromise
![Page 3: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/3.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
It's Not the End of the World as We Know It, but It IS Serious
Welcome to a world of "continuous compromise"
Cyber
Security
Cyber threats are growing
Incidents drive government, industry
to respond
IT adoption spreads IT security issues
Cyber security has unique
requirements
Cyber security requires cultural
change
![Page 4: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/4.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues
1. What is cyber security and its role in the IoT?
2. What are the cyber security threats that the IoT faces?
3. How can enterprises using the IoT secure it?
![Page 5: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/5.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Risk, Challenges, and Gaps
"No one can build his security upon the nobleness of another person." — Willa Cather
Agent Profile Targeted Assets
Industrial or critical infrastructure espionage
"Mercenaries" hired to target specific industries
IP, financial, production info., plans, strategies
Foreign intelligence services/nation-states
State sponsored, paramilitary, intelligence
National/Industrial plans, secrets, strategies, sabotage
Organized crime Syndicates, gangs engaged in chip-based fraud
Personal ID info., banking info., fraud, ID theft
Activists, "hacktivists," terrorists
Ideological, hired "mercenaries" Industrial sabotage, planning, strategic secrets
Professional "bot herders," phishers, spammers
Malware wholesalers, rent to other threat agents Attract users, compromise user devices, harvest email
Gain device control, repurpose, rent, sell processing, fraud, ID theft, industrial espionage
The accidental threat The uninformed employee or partner with access to systems
Software maintenance or upgrade, operational errors
Regulatory uncertainty Government regulation run rampant
Business decisions and performance
![Page 6: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/6.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
What Is Cyber Security and Where Does It Fit in the Internet of Things?
• Originally used in military and government, when used in the context of IT, for both offensive and defensive capabilities.
• Commercial markets began using term for operational technology (OT) security in industries such as manufacturing and utilities.
• Marketing gradually adopted as a new label for information, IT, and OT security.
• "Cyber security" is not a new concept or idea, but a convergence of offensive and defensive security.
OT Security
Information Security
IT Security
"Cyber Security"
"Offensive"
Security
Physical
Security
![Page 7: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/7.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Hype Cycle for the Internet of Things
Innovation Trigger
Peak of
Inflated Expectations
Trough of Disillusionment
Slope of Enlightenment Plateau of
Productivity
time
expectations
Plateau will be reached in:
less than 2 years 2 to 5 years 5 to 10 years more than 10 years
obsolete
before plateau
As of July 2013
Smart Dust
Operational Intelligence Platforms
802.11ah
Quantified Self
Decisions and Recommendations as a Service
Autonomous Vehicles Data Science
IT/OT Integration
Silicon Anode Batteries
Context Delivery Architecture
Big Data
Home Energy Management/ Consumer Energy Management
Low-Cost Development Boards Smart Fabrics
Wireless Power
Bluetooth 4.0 Enterprise Information Architecture Facilities Energy Management Raspberry Pi Smart Appliances
Complex-Event Processing
Home-Area Network
Broadband-Connected Televisions Operational Technology Security
Z-Wave
Telematics Machine-to-Machine Communication Services Operational Technology Platform Convergence
Mesh Networks: Sensor
Advanced Metering Infrastructure
Enterprise Manufacturing
Intelligence Vehicle-to-Infrastructure
Communications
IPv6 ISA-95 Integration Standards Vehicle-to-Vehicle Communications
RFID for Logistics and Transportation
6LoWPAN
Public Telematics and ITS
802.15.4/ZigBee
RF MCU
Consumer Telematics
Wireless Healthcare Asset Management
Commercial Telematics DASH7 Internet of Things
Smart City Framework, China Smart Transportation
Mobile Health Monitoring
Source: From "Hype Cycle for the Internet of Things, 2013," 31 July 2013, G00252763
![Page 8: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/8.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Operational Technology (OT) Plays a Big Part in the Internet of Things
OT is hardware and software that detects or causes a change of state, through the direct monitoring and/or control of physical devices, processes, and events in the enterprise.
Virtually every mobile asset today has data collection capability. Whether continuously fed to the EAM application or via batch upload, performance data is being used for predictive maintenance.
The typical plant has thousands of devices with some degree of embedded intelligence used for real-time performance monitoring.
From vibration sensors to bearings with Bluetooth to
microprocessor-based engine controls, even mobile
equipment is now IT dependent.
![Page 9: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/9.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
OT Security is the foundation of the IoT
Industrial Control Systems (ICS)
Process
Control
Systems
(PCS)
Distributed
Control
Systems
(DCS)
Supervisory Control
and Data Acquisition
(SCADA)
Systems
OT Security
IT Security Systems
Physical Security Systems
The practice and technology used to protect information, processes, and assets associated with systems monitoring and/or controlling physical devices, processes,
and events that initiate state changes in enterprise operational systems.
![Page 10: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/10.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
You Have Been Invaded!
9
![Page 11: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/11.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Is IT, OT, and "PT" Convergence Necessary?
OT IT
Physical
"Today":
IT
Physical
"Tomorrow":
OT
- Silo organization - Proprietary systems - Culture differences
- Common governance - Standard systems - Cultures leveraged
![Page 12: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/12.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
The Internet of Things: It Is Already Here
Cameras and microphones widely deployed Everything
has a URL
Remote sensing of objects and environment
New routes to market via intelligent objects
Content and services via connected products
Augmented reality
Situational decision support
Building and infrastructure management
Over 50% of Internet connections are things:
2011: 15+ billion permanent, 50+ billion intermittent
2020: 30+ billion permanent, >200 billion intermittent
Audio
GPRS Wi-Fi NFC
Higher resolution display
LTE
Flash
![Page 13: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/13.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Many Types of "Things" and Many IoT Architectures
Smart autonomous
"things"
Controllable
sensing "things"
Communicating/
Sensing "things"
Identifiable "things"
Many "things" will exploit cloud architectures to communicate with people and endpoints
Humans are both IoT nodes and endpoints
![Page 14: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/14.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IOT Business Examples Controllable Things & Ensembles
What if we could monitor and control equipment remotely?
• Diagnose/correct problems and improve
customer service/reduce service costs.
• Utility smart metering plus demand
management to control consumption.
Improves consumer service, regulatory
compliance and the environment.
• Sifteo, intelligent "cubes" for games and
education. Building cube app ecosystem.
• Automotive tracking and diagnostics.
• Remote home management, monitoring
& security e.g., using Zwave.
How can we use collections of
sensing/controllable objects to provide a
new service?
• Parking bay sensors plus mobile
apps enable dynamic pricing,
reduce congestion, e.g., SFPark.
• Intelligent transportation, combine
traffic sensors, intelligent signage.
Reduce congestion and pollution.
• Precision agriculture plus
selective irrigation, reduces
cost/improve yields.
![Page 15: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/15.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Who's Exploiting The Internet of Things and Who Should Investigate It?
Industry examples: • Utilities, e.g., smart grid,
infrastructure monitoring
• Transportation & logistics, e.g., for
track & trace, route optimization
• Healthcare, on-body monitoring
• Security/insurance — asset
monitoring, communications
• Advertising, knowledge of
product/technology usage drives
adverts on a different channel
Business Situations: • Stored assets where monitoring and
replenishment increases revenue
• Expensive information shadows,
e.g., supply chain for fresh produce
• Complex equipment, monitoring can
reduce maintenance or support
• Critical infrastructure or equipment
needing prompt diagnosis and repair
• Convert "pay to own" to "pay to use"
• Sensing replaces manual labor
• Sensing enables new features
• Convert products into relationships
![Page 16: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/16.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IoT Will Pose Technical, Commercial, and Social Challenges
Security E.g., OTA updates,
hacking smart meters, authenticating data
Software Architectures IoT middleware, distributed databases and
processing, programming to minimize rf usage
Interoperability and Fragmentation
E.g., O/S, programs, protocol stacks, tools ...
Tools E.g., debugging distributed algorithms in sensor networks
Future Proofing Decade-long life span, retirement of technologies such as 2G
Deployment Commissioning a large
number of sensor nodes
Hype and Immaturity Of technologies
and vendors
Privacy Risks of sensing "things"
![Page 17: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/17.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Is “Entity” Management Necessary in the IoT?
Identity &
Access
Mgmt
Asset Mgmt
Mobile Device
Mgmt ? ?
Is the concept of “identity” expandable?
![Page 18: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/18.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Adopt a Strategy of IT/OT Convergence, Alignment, and Integration
Information Technology
Operational Technology
![Page 19: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/19.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Can These Security Pillars and Foundations Be (Re)used for OT and the IoT?
Interaction Integration Correlation Context
Awareness
Detect Protect Prevent Remediate A
pp
lica
tio
n S
ecu
rity
Ide
ntity
& A
cce
ss
Endpoin
t P
rote
ction
Da
ta S
ecu
rity
Netw
ork
Security
Infrastructure Protection
Governance, Risk and Compliance Management
Intelligent Security and Risk Decisions and Actions
![Page 20: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/20.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
CIOs Must Embrace OT as representative of the Internet of Things
Factors driving this prediction:
• By 2015, unified oversight of all Internet-connected technologies will become a widespread business imperative.
• By 2015, context-aware information management will characterize leading enterprises.
• Leading CIOs are developing leadership roles enterprisewide across all technologies.
• Accelerating convergence of Internet-connected technologies.
• Credible, high-performing CIOs are the natural choice for the role.
Factors against this prediction:
• Fewer than 30% of CIOs are responsible for all enterprise technologies in 2011.
• CIOs who focus mainly on technology issues and service delivery lack the necessary vision.
• Many IT organizations lack strategic business skills and credibility in non-IT technology.
• Enterprise power structures, politics, and personalities may inhibit unified oversight.
• Credible non-CIO individuals may have greater authority.
By 2015, in more than 70% of enterprises, a single executive — a new-
style CIO — will oversee all Internet-connected entities.
![Page 21: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/21.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Educate your enterprise on the taxonomy of cyber security and the Internet of Things to engineering and business
Evaluate security solutions and services based on their ability to handle cyber security vs. particular subsets
For enterprises with significant OT assets, begin the process of IT/OT convergence planning where needed
Assess current security programs and solutions to ensure possible mobile and IoT implications are identified
Monitor industry progress in converging technologies that expand security’s remit to include relationships and objects
![Page 22: Securing the Internet of (Every)Things the Internet... · The opinions expressed herein are subject to change without notice. ... Gartner's Board of Directors may include senior managers](https://reader031.vdocument.in/reader031/viewer/2022030410/5a9cfef47f8b9a335c8b6689/html5/thumbnails/22.jpg)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
The Internet of Things Is Moving to the Mainstream Hung LeHong and others (G00247190)
The Impact of Critical Infrastructure Protection Standards on Security Earl Perkins (G00230036)
Agenda Overview for Operational Technology Alignment With IT, 2013 Kristian Steenstrup (G00245721)
Predicts 2013: IT and OT Alignment Has Risks and Opportunities Kristian Steenstrup and others (G00245299)
Cool Vendors in IT/OT Alignment and Integration, 2013 Kristian Steenstrup and others (G00246893)
For more information, stop by Gartner Research Zone.