The Internet of Things
The Internet of Things (IoT) is an umbrella term used to describe the rapidly growing population of smart and/or embedded digital devices that can leverage, monitor and control systems and components in the physical world. The span covered by this technology is vast – ranging from industrial control systems on the internet, new wearable devices and new capabilities in automobiles or homes. The opportunities are significant as IoT systems can transform the customer experience, improve product maintenance, and create new business propositions like subscription models and greater knowledge from data analytics.
But, the IoT presents important new security challenges. Even with the explosive growth of mobile apps and the cloud, the focus and expertise of corporate IT security has remained largely inside the company firewall. But this new environment of ‘things’ resides almost entirely outside of the corporate network, relying primarily on the external internet and local connectivity technologies such as Bluetooth or mesh networks. Much of the technology is also different from traditional IT systems and can involve simple operating systems and very low powered processors.
It is perhaps not surprising that security researchers and the media have been having a field day identifying IoT security weaknesses – not just in the lab, but in devices that are in widespread use.
What is the purpose of our work?
In our research and work with companies who have IoT projects we found that it was too easy to make the wrong assumptions about security and privacy. A common mistake can be to focus just on the technical device, rather than the broader eco-system of applications, data and cloud services. It is also easy to miss the strategic significance of decisions like the choice of industry standards and the corporate stance on how personal data will be handled.
This web site aims to bring together a range of resources on the new IoT and the implications of privacy and security. We intend to explore the security stories and the risks, as well as looking at how the security and privacy challenges are being tackled by researchers, end-user companies and solutions vendors. We welcome learning about new resources and new stories and ideas. Market researchers predict that there will be over 50 billion IoT devices deployed by 2020. Poor security deployed at scale could be irreversible, so the time to get the security right is now
What Services do we offer?
The Internet of Things brings together both IT and engineering in ways not often experienced by the IT team. Technologies that will be imbedded in consumer devices, mobiles or industrial systems will usually leverage Original Equipment Manufacturer (OEM) circuit boards and sensors, and/or may be addressed through new software development toolkits.
Selecting the right capabilities and engineering partners who can support the necessary IoT functions, including security, becomes a key element of strategy. The decisions taken now can easily lock in the future development of an IoT service.
We are completely independent from products and solutions and work with companies to help them make the right choices and specify the requirements in their technology procurement.
Briefings, white papers and directions
We run workshops or provide executive briefings on the security and privacy implications of the Internet of Things and how these can impact company strategy and the ecosystems in which they operate. The implications of stakeholder engagement and how IoT security is addressed is also covered in our IoT readiness and strategy assessment methodology the IoT Quadrant Framework (IoT-QF
We also research and write whitepapers on IoT security topics for individual companies or for research organisations such as the Leading Edge Forum, where an example of our work has recently been described.
What is IoT-QF?
In our work with companies who have projects where they are starting to work with the tools and concepts of the Internet of Things, we found that it was too easy for an IT team to make big mistakes in how they thought about security and privacy. Common mistakes are to focus just on the device, rather than the broader eco-system of applications, data and cloud services.
The Internet of Things Security Quadrent Framework (IoT-QF) is a simple tool that guides the thinking of business leaders, project teams and the information security group into what should be considered in adoption of IoT technologies, and the fundamental strategic implications that underpin apparently tactical decisions on security and privacy
IoT Quadrent Framework Assessment
Security and the IoT environment is not only new, with new concepts and approaches that need to be adopted, it is also multi-dimensional. New suppliers and vendors need to understand the risks in your business and the security scenarios that would impact customer privacy or business integrity. Regulators and other stakeholders will learn more of this new way of working and develop new rules and regulations for which you will need to position yourself in this marketplace.
The IoT Quadrent Framework assessment tool helps identify key strategic questions that allow the executive to set the ‘tone’ of the adoption of IoT and the resulting expectations for the secure development and operation of the IoTsystems. Early IoT experiences are already showing that the rate of change in IoT use and adoption, as well as the nature of partnerships, can rapidly change the risk profile. The assessment framework therefore also antcipates change and shows companies how to prepare for this future.
The framework also takes the implementation team through seven steps:
1. Take an end-to-end view of risk – Assess risk and model/build security across the entire data flow, including devices, applications, storage, brokers and apps.
2. Secure development – Build the components of IoT using robust development methods to reduce vulnerabilities, and then independently test the security of each component.
3. Maintain integrity – The systems provider should accept responsibility for on-going security management; this task should not be delegated to the end customer.
4. Preserve ‘agency’ and control – Systems should be deployed so that they only accept instructions both with the explicit consent of the customer and through channels authorized by the system vendor.
5. Build-in resilience – Design system components to operate in an environment of hostile devices and allow restoration to a trusted state if components are compromized.
6. Maintain future trust – Design security that is appropriate for the most sensitive anticipated usage.
7. Seek outside assurance – There should be a level of independent verification so that the customer can trust the integrity of the system. Cyber insurance is another increasingly important option
For more information about the details of IoT-QF and how it has been used by others to assess their status please contact firstname.lastname@example.org