According
to the
Information Security Forum
(ISF), trusted resource for
executives and board members on cyber security and risk management, the
Internet of Things (IoT) has exploded into the connected world, promising the
enablement of the digital organization and making domestic life richer and
easier. However, with those promises come inevitable risks including the rush
to adoption, which has highlighted serious deficiencies in both the security
design of IoT devices and their implementation. Coupled with increasing
governmental concerns around the societal, commercial and critical
infrastructure impacts of this technology, the emerging world of the IoT has
attracted significant attention.
In an effort to support global organizations, the ISF today announced the release of Securing the IoT: Taming the
Connected World, the organizations latest digest which helps
security professionals better understand the security implications of the IoT.
Based on external and ISF member research, and supplemented by a short series
of special interest group meetings held in Finland, the Netherlands and the
United Kingdom, this paper explores:
- Definitions of the IoT
- Technical characteristics
- Fundamental security issues
- Emerging security practice
- Legal and regulatory landscapes
"The IoT
has become a reality and is already embedded in industrial and consumer
environments. It will further develop and become an essential component of not
just modern life, but critical services," said Steve Durbin, Managing Director,
ISF. "Still, at the moment, it is inherently vulnerable, often neglects
fundamental security principles and is a tempting attack target. This needs to
change."
The IoT is often perceived as new and cutting edge, but
similar technology has been around since the last century. What has changed is
the ubiquity of high-speed, low-cost communication networks, and a reduction in
the cost of compute and storage. Combined with a societal fascination with
technology, this has resulted in an expanding market opportunity for IoT
devices, which may be broadly split into two categories: consumer and
industrial IoT.
The IoT has also been described as a form of shadow IT,
often hidden from view and purchased through a non-IT route. Hence,
responsibility for its security is often not assigned or mis-assigned. There is
an opportunity for information security to take control of the security aspects
of the IoT, but this is not without challenges: amongst them skills and
resources. Nevertheless, there is a window of opportunity to tame this world,
by building security into it. As most information security professionals
understand, this represents a cheaper and less disruptive option than the
alternative. Security teams should take the initiative to research security
best practices to secure these emerging devices and be prepared to update their
security policies as even more interconnected devices make their way onto
enterprise networks.
"The IoT
can be broken down into consumer-orientated products and industrial-orientated
products; however, ISF member organizations can face risks from both these
aspects of the IoT as it enters the workplace by design and also by stealth,"
continued Durbin. "It's important that information security functions take a
proactive approach to this potentially poorly secured world and ensure that the
IoT does not represent a weak spot in organizational defenses. Enterprises
with the appropriate expertise, leadership, policy and strategy in place will
be agile enough to respond to the inevitable security lapses. Those who do not
closely monitor the continued growth of the IoT may find themselves on the
outside looking in."
Securing
the IoT: Taming the Connected World is available now to ISF Member companies via
the ISF website.