The benefits of deploying IoT are becoming clearer for many organizations, especially when the use case is identified for a business problem solved with IoT (see my other article for more on that). However, once an IoT technology “sticks,” additional security considerations prior to deployment may not be top of mind — but they should be.
Device security should be incorporated into any design, and IoT deployments are not exempt. The general approach is to use the CIA triad: ensure the confidentiality, integrity and availability of the technology. While there are many debatable concerns around the security of devices, such as smart locks, there also are concrete examples of internet-connected devices posing a security risk with default passwords. The viral video demonstrating how an internet-connected carwash using default passwords can be exploited helps put the urgency of securing IoT devices into perspective. Weak and default passwords on IoT devices and platforms can even put personal safety at risk. When securing IoT devices, seek integration with existing certificate frameworks.
From a reliability perspective, cascading failure is a consideration as well. Consider a smart refrigerator that could run the risk of being “bricked” due to an IoT device failure, misconfiguration, malicious use or bad firmware. If in a hospital use case, unreliable devices could risk ruining a very expensive inventory of medicines that require climate control or even put lives in danger. Device reliability may also be a consideration over time as conditions may change. Temperature and other atmospheric factors, quality of network connection, changes in network equipment and changes in logical configuration (such as routing to the internet) may all introduce small and seemingly irrelevant changes to an environment, but IoT devices may respond unexpectedly to these changes.
From a cost perspective, consider a fixed device removal (and replacement) date or cycle. Just as capital expenditures like PCs and desktops have a three- to four-year life span, IoT assets should have their own asset management cycle. The details of that cycle will depend on factors such as the device, cost and use case, but also consider the process for spare part management, both from a supplier and, possibly, from a private inventory within the organization. A fixed removal date also provides a possible remediation for vulnerabilities that emerge in the future for IoT devices, because updating them may be daunting. Additionally, we should expect that capabilities will increase and costs will decrease for individual devices over time.
While this view on IoT may seem alarmist, a single catastrophic failure or breach could wipe out any IoT benefit. The challenge today is to design with these considerations in place to avoid an unforeseen challenge that wasn’t addressed ahead of time.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.