United States / Global
Connectivity and Security in the Age of IoT
From users introducing connected devices and applications to their homes and cars, to cities and industries adopting new technologies to revolutionize services and operations, the Internet of Things (IoT) proves to be more than just a load of hype — it’s an inevitable shift. Without a focus on security, however, the same convenience and connectivity afforded by these smart environments can open the doors to a number of threats.
The rise of the Internet of Things (IoT) started when consumers began to interconnect home, work and mobile devices via the cloud so that valuable personal and work information could be easily accessed, no matter what the users were doing or where they might be located. Similarly, commercial and industrial organizations want to gather information across sensors, devices and control systems, often in different locations, in order to provide more intelligence and make better decisions about operations and maintenance. Hence, the emergence of the Industrial Internet of Things (IIoT), which by definition is an extension of IoT for industrial applications.
With the proliferation of IoT and IIoT devices and technologies in the commercial and industrial sectors, we are starting to see the convergence of the traditional information technology (IT) and operational technology (OT) environments. The former involves the applications used to conduct daily business through collaboration and digital information exchange, while the latter includes those used in manufacturing, retail, distribution, and utilities and energy operational processes. Their convergence has led to an integrated environment that allows for improved collaboration, productivity and profitability. At the same time, though, it has exposed organizations’ IT and OT to more security threats and challenges.
The convergence of IT and OT has led to a new environment characterized by an increase in the numbers of various elements with their respective functions within the ecosystem — more devices, sensors, processors, platforms, protocols, etc. At the same time, it has created new dynamic business challenges for the organization.
There is, of course, the cost of adopting new technologies brought about by the underlying IIoT digital transformation. This can prove expensive, entail personnel retraining and otherwise require time and resources for it to work correctly.
The need to ensure that all parts of the organization follow all legal and regulatory requirements also becomes an issue. This is because some parts of the organization might not have been subject to certain requirements prior to the deployment of IoT devices in the organization.
Furthermore, lack of visibility and control on IoT devices across the organization is magnified as cyberattacks increase. In line with this, it is critical for the organization’s reputation to be kept intact following cyberattacks or other forms of violation.
An unwelcome effect of IT/OT convergence is the expansion of the attack surfaces and threat vectors across the organization. This provides more opportunities for hackers, malware authors and criminal groups to take advantage of. Given the profusion of attacks and breaches, cyberthreats are now top of mind for discerning senior executives and board members. This awareness has resulted in increased funding becoming available for the IT environment, but not necessarily for the OT environment, where cybersecurity is still more an afterthought than an integrated part of the business plan.
As a result of IT/OT convergence, we are starting to see significant security challenges for the overall organization. These include lack of security awareness across the IT/OT environment and fragmented security solutions that don’t necessarily work in the OT environment. Another issue is lack of standards and regulations for IoT technologies, which makes planning and implementation difficult. Also, some security models may not have been built into IoT devices and platforms, particularly those used in the OT environment.The prevailing security approach in the OT environment is to use IT practices and technologies. Unfortunately, this doesn’t always work and, in some cases, has caused problems with operational equipment and devices. For one thing, the IT and OT environments have different views about security as they have different reporting lines and business needs. Consequently, misapplications of IT security in the OT environment arise, which in turn lead to self-denial-of-service and other complications.
With regard to addressing business and security challenges in the new converged environment, Trend Micro believes that organizations need a new security strategy. This strategy should be able to provide a comprehensive defense-in-depth framework that can identify, prevent, detect, respond to, recover from and predict the threats of today and tomorrow across both the IT and OT environments. It should include security solutions that are purpose-built to the new IoT/IIoT ecosystem.