RIoT Control

This is the first in a series of blogs written as a companion to my forthcoming book, RIoT Control – Understanding and Managing Risk and the Internet of Things

Overview – The Internet of Things

Analysts estimate that over 50 billion new, non-user, IP-enabled devices will be added to the Internet over the next few years. These devices will range from sensors in power grids to infusion pumps in hospitals to smart appliances in your kitchen. Collectively, these devices are known as the Internet of Things, or IoT.

IoT is about devices at the edge of the Internet communicating to large centralized networks. They are often designed to share information, make decisions, and take action without involving people. These decisions may be as simple as inventory control or ordering a new water filter to your refrigerator, or as complex as managing doses of medicines for critically ill patients or managing traffic flow for an entire city. IoT represents billions of devices speaking to each other, and often managing outcomes in the physical environment. It has been developed because it represents an improvement in some sort of outcome of service—presenting either greater efficiencies or a adding value to an outcome or service.

The IoT presents business opportunities in virtually all industrial sectors. It is a key factor in driving the world’s new digital economy, and is integral to the future of how we design, manufacture, deliver, and manage goods and services.

Risk and IoT, or RIoT

IoT represents a significant change in how we interact with the devices and services that surround us and that we have come to rely upon. It also represents new risk, adding layers of vulnerability that need to be addressed, not just to protect personal information, but to protect critical infrastructure systems such as nuclear facilities and power grids, transportation systems, health care systems and hospitals, and manufacturing systems – all of which are in the process of adopting and deploying IoT devices into their products and environments.

RIoT is all about how we manage the new risks associated with IoT. Over the course of this series of blogs we will examine IoT within the framework of a formal risk assessment process. We will cover:

• Asset Inventory: What are you assessing or protecting? This not only includes the IoT-enabled devices themselves, but the data, infrastructure, and resources that monitor and/or communicate with.
• Requirements and Sensitivity Analysis: How much damage are the assets susceptible to, from the perspective of Confidentiality, Integrity, and Availability?  And are there other challenges associated with sensitivity that emerge with IoT? (The answer is yes.)
• Threat Analysis: Who or what might want to impact sensitivity? Who are the threat actors and potential victims? What is the potential for harm? What do these new threat vectors mean?
• Vulnerability Analysis: Where are the weaknesses that a threat agent might exploit? What is the potential for impact upstream and downstream from that vulnerability?
• Risk and Mitigation: Taking into account the frequency or likelihood that a threat agent will try and exploit a vulnerability—what is the actual, calculated risk? Risk is almost always expressed in a qualitative manner (high/medium/low, for example), and we will not attempt to go beyond this convention. And finally, what can you do about this risk?

It may help at this point to define what RIoT is NOT.

It is NOT only about machines. It is about data created by machines that mixes and mingles with data generated by people also using computing devices. It is about the emerging machine-made information database that will exist alongside the current, manmade information database.

It is NOT limited to new forms of information sharing. It’s about a new way to collect, gather, and correlate information from the world at large, especially the physical world.

It is NOT just about wireless or cellular networking. While wireless communications help facilitate the distribution of information, that is just the beginning. The IoT will be about many types of networks running side by side that have access to a network or Internet gateway, and that will bind IoT endpoints to the analytics and applications used in data centers.

And risk and security are (mostly) NOT about privacy. Of course, there is the potential for IoT compromises to expose personal information. And that needs to be rigorously defended against. But most of the data in a given business has value for reasons independent of privacy issues. Instead, it is proprietary, internal information about production, coordination, finances, marketing and sales, research, and general administration. Much of this data is unstructured, and of course, some personally identifiable data will frequently be scattered throughout this unstructured and structured (databases, directories) mass of information that needs to be protected.

RIoT IS largely about  the bigger issues associated with regulatory risks, financial risks, competitive risks, internally focused risks affecting critical infrastructure, and other verticals alike, all of which have use-cases driving investment in IoT. When IoT, is poorly managed from a risk and security perspective, it will expose people and economies in ways that can disrupt lives, ruin businesses, and threaten our safety and prosperity.

In the next blog we will be exploring the complexity of these interconnected devices, and how that complexity introduces new risks to users, administrators, and networked environments.

Tyson Macaulay is the Chief Security Strategist and VP of Security Services at Fortinet, Inc. His new book, “RIoT Control – Understanding and Managing Risk and the Internet of Things,” will be published this summer by Morgan Kaufman Publishers.