OREANDA-NEWS. November 20, 2015. Sean Middleton says that security is at the forefront of IoT considerations. “This isn’t because security is an afterthought, it’s just that security is hard,” he says. “As with all aspects of security, there will be a perpetual race between those seeking to circumvent controls and those looking to improve them.”

According to Middleton, a ‘defence in depth’ model is an effective security strategy. “In other words, [this is] implementing control points at multiple layers in a system—at the device itself, on the gateway it connects through, on the database it accesses, and so on,” he says.

Touching upon shadow IoT, where employees use unauthorized or unapproved IoT devices in the workplace, Middleton notes, “These devices can unknowingly make their way into the corporate environment and, if connected to the network, open an unsecured, uncontrolled and unnoticed hole in the company’s perimeter. The modest risks of smart objects such as Fitbits, smart TVs in a conference room, thermostats…are likely to snowball into serious concerns if left unattended.”

Middleton adds that the onus lies on the companies, and not their customers, to secure the data IoT devices collect or transmit. “To balance the need for security with the desire to connect devices to the Internet, organizations have to emphasize data protection and governance of IoT-generated data to address privacy expectations, notice/choice, consent, context, re-purposing of data and data minimization,” he avers. 

Companies need to adopt a multi-layered approach to IoT security during design and implementation, he says. “IoT systems by design will likely be deployed over long periods of time with continuously evolving capabilities and data,” he points out. “As a result, remote management of these systems is a must, and the ability to ‘reflash’ an IoT device’s firmware over-the-air (FOTA) will be required.”

Middleton opines that the IoT has to be seen as the sum of its parts, and not just loosely assembled forms of instrumentation. “The architecture of an IoT ‘system of systems’ requires an understanding of the autonomy and trusted dynamic interactions across and between each system layer—sensor, device, gateway, network, and cloud,” he says. “This is because the promise of the IoT is not realized by any one component, but by the sum of the parts.”

He adds, “In order to enable secure self-configuring, self-diagnosing, and self-correcting systems, each component must inherently behave in a secure and trusted manner—and be able to rely on that behavior from all other components in the system.”

To read the full report, click part 1 and part 2.