IOT - Not So Rosy? 10 Things to check before submitting your PO.

Having just completed a meeting with a developer at a Building Systems Automation company a few weeks ago, it was with great interest that I started trawling the net to look for case studies of enterprises jumping on the latest hype wagon - IoT, or the Internet of Things.

To say that I was surprised at the many solutions being developed is an understatement. Industries as diverse as Transportation, Health Care, Retail, Agriculture, Construction, Energy and Hospitality are all represented by a growing list of solution developers. Even more impressive are the efficiencies, cost savings and increased customer service levels and satisfaction that are being quoted as outcomes.

There is no doubt that as the early adopters of these solutions start to gain both market recognition and share, we will see these solutions marketed as products, rather than projects, and their costs will fall. The result will be greater penetration into the enterprise space. In fact, we are already seeing some commercialisation in a few enterprise markets, such as physical security and building management/energy reduction. These solutions commonly include network-connected sensors and devices, such as door latches, CCTV cameras etc., coupled with application software that is either supplied 'as a service' or integrated into an enterprise's application stack.

However, not everything is rosy in this fast-growing market. To date, there has been a long list of frightening vulnerabilities discovered in the IoT and network-connected devices. In July 2015, Wired published an account describing how two security researchers, Charlie Miller and Chris Valasek, were able to wirelessly hack into a Jeep Cherokee, taking control of the entertainment & dash systems, steering, brakes and even transmission! Search the web further and you’ll find similar examples for pacemakers, CCTV cameras, door locks and much, much more.

It is clear that the introduction of hundreds of new and unknown connected devices into an enterprise network must be planned and implemented with appropriate due diligence, risk management and caution. With that in mind, what should you be checking before placing your purchase orders??

• Security planning needs to be in place between the information, network, data, and physical security teams from the launch of the project.
  
• Look into the security credentials of the equipment manufacturer. Are they a known brand in the enterprise market?
  
• Understand your current threat environment.
  
• Investigate the technical limitations of the devices under consideration and understand their security implications (OWASP has published a Top IoT Vulnerabilities)
  
• Map technical limitation security implications against your threat environment.
  
• Identify what data is to be collected and where it is to be stored.
  
• Check datasets against the Government and the businesses’ privacy and usage policies.
  
• When implementing, treat ALL devices as UNTRUSTED and keep them isolated from Corporate and Production networks.
  
• Utilise stringent firewall policies for all data requests to the corporate or production networks.
  
• Devise a clear plan for managing IoT within your organisation. How will devices be upgraded and repaired?
  

The solutions offered by the Internet of Things promise great returns for those willing to manage the very real security risks involved. If you are considering a shift to IoT, project planning and security advice are essential.