Five Disturbing Trends in IoT Security for 2018, and What You Can Do About Them

Transcription

1 Gartner Security & Risk Management Summit 2018 June 4 7 / National Harbor, MD gartner.com/us/securityrisk Five Disturbing Trends in IoT Security for 2018, and What You Can Do About Them Earl Perkins Vice President, Gartner Research Ruggero Contu Director, Gartner Research Saniye Burcu Alaybeyi Director, Gartner Research 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. For more information, info@gartner.com or visit gartner.com. EVTM_851_353762

2 Five Disturbing Trends in IoT Security for 2018, and What You Can Do About Them Published: 31 October 2017 ID: G Analyst(s): Earl Perkins, Ruggero Contu, Saniye Burcu Alaybeyi As Internet of Things deployments increase, security and risk management leaders should make note of key IoT security trends caused by these deployments, and of resulting actions needed. Key Challenges IoT product and service vendors are paying little attention to scenario- or vertical-specific requirements for IoT security. Common security patterns for vertical-focused IoT deployments do not exist. Organizations acquired the skills to adjust to extended digital security impacts caused by IoT. Regulatory and market pressures to address specific vertical needs for IoT security are growing. Technical standards and frameworks for IoT security are almost nonexistent or beta editions, as is security testing and certification. Recommendations To develop an IoT strategy and advance it with organizations engaged in IoT projects, security and risk management leaders must: Develop methods for matching providers to specific IoT security scenarios by imitating cases from OT and physical security. Use common security patterns by scenario, then modify patterns based on required business outcomes. Train for new in-house skill sets for support of critical assets and environments, and evaluate managed and cloud-based security services for less risky support activities. Adopt security testing and certification services for required or recommended certifications. Use the service when driven by your regulatory or contractual requirements.

3 Prepare to rearchitect as standards change. Consider your dependence on the notable immaturity of those proprietary standards and compensate with existing standards available. Table of Contents Introduction... 2 Analysis...3 Develop Methods for Matching Vendor and Service Providers to IoT Security Scenarios and Vertical Requirements... 3 Recognize and Use Common Security Patterns by Scenario, Vertical and Layers to Address IoT Security Needs... 4 Gartner Recommended Reading... 8 List of Figures Figure 1. IoT Planning Pattern Components... 5 Figure 2. Organizations Defining IoT Standards...7 Introduction Very few technological events in history have had the type of impact that Internet of Things (IoT) has made on the technology fabric of business today. IoT security attempts to address the protection and threat from a growing numbers of IoT devices and systems in industrial, commercial and consumer environments. The use of IoT security remains surprisingly small, yet it remains one of the highest concerns consistently among executives in the industry today (see "IoT Technology Disruptions: A Gartner Trend Insight Report"). Trends in IoT security reflect the movement of the markets and provide indicators to security and risk managers (SRMs). These trends can help SRMs make more effective decisions when addressing the use of IoT devices and systems in their organization. These trends cover key areas such as: Verticalization (where there are specific security requirements for specific verticals) Design of secure end-to-end IoT deployments Organization and skills requirements The impact of evolving IoT security standards This appraisal provides some key actions in response to some of those evolving trends. Page 2 of 10 Gartner, Inc. G

4 Analysis Develop Methods for Matching Vendor and Service Providers to IoT Security Scenarios and Vertical Requirements The market for securing IoT devices is no longer nascent, but remains in the early stages of evolution. There are areas of growth to address unique aspects of IoT devices and impact, such as: Embedded security functions within the device (e.g., application execution environments, encryption) Securing cloud-based applications in IoT through expanded uses of cloud access security brokers (CASBs) The security implications of expanded wireless network types in existing end-to-end IoT networks (e.g., Z-Wave, ZigBee) Impacts include: Increases in scale of data amounts and device counts Diversity of systems across engineering and information-centric requirements Fit-for-purpose functions of devices Type of data and data flows generated Product and service providers, both new and old, are responding with their own methods of IoT security in digital business initiatives, regardless of scenario- or vertical-specific requirements. Traditional IT security vendors tend to reshape existing offerings, while new market entrants choose particular layers of security to address specific verticals or specific requirements. SRMs engaged in product or service evaluation and selection must recognize: When there are unique IoT requirements due to the device, the network or the scenario. Where there are traditional IT security requirements that can be addressed with modification to their existing IT security. This means, for example, creating methods of vendor matching against requirements using skills provided by outside agents, or developing more targeted scenarios for proofs of concept testing. Mobile security methods for handling limited resource capability can also be extended to wearable technologies, particularly nomadic ones. This includes techniques for trusted execution environments, encryption methods that may incorporate firmware or securing wireless communications across different frequency types. OT security methods involving trust zone segmentation in networks, extended proprietary standards support and experience in multiple platform environments are also useful. Highly decentralized accountability and responsibility for security controls and operations are useful, as well. Gartner, Inc. G Page 3 of 10

5 Recognize and Use Common Security Patterns by Scenario, Vertical and Layers to Address IoT Security Needs Traditional IT security has created a set of common security "patterns" for general-purpose platforms based on the server or variants such as mobile phones and tablets (see "Don't Let Your IoT Projects Fail: Use the Right IoT Security Pattern to Protect Them"). Those platforms are capable of running different applications no matter the requirement, whether customer relationship management or enterprise resource planning, for example. The information-centric design using processing, memory, data storage and user interfaces has served organizations in this manner for decades. IT security has evolved to develop a layered approach addressing data, application, platform, network and endpoint requirements, regardless of the business purpose. IoT devices are not exclusively general-purpose platforms. Some device classes, particularly simple sensor and actuator-based platforms, are fit-for-purpose. Some possess little or no data storage, but have memory and processing. Some have very little memory or processing, but are networked to transmit and receive data to initiate physical actions in machinery, for example. These fit-forpurpose platforms can and do alter the security patterns of established IT security. This requires an extension or new approach to providing end-to-end IoT security where such devices or systems are involved. SRMs should build a security pattern that addresses the IT portion of an end-to-end IoT initiative and use this pattern as a starting point, noting the following: The business outcome desired The device type used and its limitations The data flow it generates and receives for early indicators of modifications required For example, if a device cannot reliably store keys as part of an authentication strategy, it may require a vendor-specific appliance, human-machine interface (HMI)/mobile device application, aggregator or gateway. This will serve as an intermediate key storage and management point for those devices. It may also require the introduction of proprietary solutions temporarily as the markets evolve to standardization. Other qualifications for building a security pattern (see Figure 1): Are physically exposed to the public and the internet (may power up everything that might cause trouble). Has to stay secure for a decade or more Has accessible power, connections and even places to stick things in Contractor back doors (so you don't forget how to access systems you build) Page 4 of 10 Gartner, Inc. G

6 Figure 1. IoT Planning Pattern Components Source: Gartner (October 2017) Train for Skill Sets in Long-Term Digital Security Management and Support In-House While IT security has served all types of industries for decades, there have been at least two distinctive cultures that have made use of computing technologies: An information-centric culture that uses IT security An engineering culture that uses some IT security, as well as specialized systems that may require OT security for asset-intensive industries such as utilities, transportation and manufacturing (see "Market Guide for Operational Technology Security"). IoT itself is a successor to some of the same characteristics as OT. This is particularly true in areas of endpoint security where OT utilizes sensors and actuators routinely to manage physical state changes in machines and environments. IT and OT security organizations are converging in most asset-intensive enterprises. IoT initiatives are accelerating the convergence due to similar requirements to OT. Even in nonengineering organizations, IoT has introduced the physical state change concerns. SRMs should acquire IoT security skill sets and modify organizations to adjust to a new reality, leveraging experiences of industrial automation and control organizations in highly decentralized implementations. These support high-availability and real-time systems. Large-scale multimedia and telecommunications organizational structures also serve as starting points for managed and hosted security service providers if the scenario matches that scale of deployment. Gartner uses the term "digital" security to highlight the use of IoT devices and systems in both information- and engineering-focused organizations. SRMs must leverage the knowledge learned Gartner, Inc. G Page 5 of 10

7 from IT/OT convergence in developing strategic support for the digital security reality IoT brings. However, the potential complexity of IoT security environments is likely to strain current security departments. It will require ruthless prioritization of strategic security support requirements versus more common and less critical requirements, causing SRMs to aggressively seek operations support and management from third parties to augment staffing. Cultural changes that must occur due to multiple parties within the organization that have not communicated or worked together in the past. Organizations that have different missions must also undergo shifts in accountability, responsibility and awareness. Adopt Security Testing and Certification Services for Required or Recommended Certifications Regulatory concerns regarding the impact of IoT on industrial, commercial and consumer environments is growing. Media reports and technical reports of compromises of those devices are increasing. Early indicators in utilities and healthcare in several nations are fueling the debate around some security certifications of devices, particularly consumer and healthcare devices. 1, 2 These services are growing under regulatory and market pressures to: Address specific vertical needs for IoT security. Provide some level of standardization for different industries, though this still remains voluntary as of this date. As more industry vertical frameworks are published, the services will become more structured and standardized, a necessity in the evolving IoT security industry. 3 Gartner urges SRMs to use these security testing and certification services as starting points for tool and service evaluation in early IoT initiatives. Even if the services are not acquired, the structure and approach used can be useful in shaping internal testing or certification process. Monitor the evolution of regulations and guidance within your company's vertical to assess possible timeframes. Continue to monitor incidents and threats both within and outside of your vertical. This monitoring is needed to assess possible impacts on regulatory movements within your vertical as a result. Prepare to Rearchitect as Standards Change, Considering Your Dependence on the Immaturity of Those Standards and Compensating With Existing Standards While there are evolving IoT technical standards and protocols, specific security standards for IoT are lagging (see "Hype Cycle for IoT Standards and Protocols"). There are IoT industry verticals and broader vendor ecosystems that drive proprietary security for those environments. For example, these environments include consortia such as the Industrial Internet Consortium (IIC) for industrial and ecosystems from Google or Samsung. Efforts in established standards bodies such as the GlobalPlatform efforts, IEEE, ISO/IEC, OASIS or W3C are primarily in the working group stage. These institutions are working with standards bodies as well (see Figure 2 and "Make the Best of Your IoT Consortia Engagement"). Page 6 of 10 Gartner, Inc. G

8 Figure 2. Organizations Defining IoT Standards Source: Gartner (October 2017) Organizations should be pragmatic in their use of technical standards and frameworks for IoT security at this stage. There are some available, but consider the current vendors' dependence on specific proprietary ecosystems and the notable immaturity of those standards. SRMs should start with the industry vertical to identify and review consortia efforts at the framework level. Choose the technical standards group with working groups specific to your IoT scenario to determine progress and efforts. Participate in those groups where you have specific requirements you wish to ensure are part of final standards. Some notable industry consortia and standards bodies (not comprehensive) for frameworks and standards today specific to IoT security include Industrial Internet Consortium (IIC) Institute for Electrical and Electronics Engineers (IEEE) International Standards Organization/International Electrotechnical Commission (ISO/IEC) Internet Engineering Task Force (IETF) IoT Cybersecurity Alliance IoT Security Foundation Open Web Application Security Project (OWASP) Other consortia have different areas of IoT under consideration with smaller initiatives around security. Future Gartner research will address IoT security standards in further detail. Recommendations for SRMs: Pursue a dual strategy of IT security standardization for those layers or patterns used within your initiatives and layers required for endpoints or networks supporting IoT devices. Gartner, Inc. G Page 7 of 10

9 Evaluate the approaches during proofs of concept. Design any final deployment, taking into account the possible temporary nature of standards as they develop. Mind this particularly in embedded security and wireless security for IoT devices, and in identity management implications for those devices. Acronym Key and Glossary Terms IEEE Institute of Electrical and Electronics Engineers IETF IEC/ISO OASIS W3C Internet Engineering Task Force International Electrotechnical Commission/International Standards Organization Organization for the Advancement of Structured Information Research World Wide Web Consortium Gartner Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Market Trends: Move Cybersecurity Into the Core of Vertical Industry Strategies" "Don't Let Your IoT Projects Fail: Use the Right IoT Security Pattern to Protect Them" "Market Trends: Grow Your IoT Security Business by Investing in Real-Time Discovery, Visibility and Control" "Address Cybersecurity Challenges Proactively to Ensure Success With Outsourced IoT Initiatives" "Forecast: IoT Security, Worldwide, 2016" "IoT Technology Disruptions: A Gartner Trend Insight Report" "Market Guide for Operational Technology Security" "Hype Cycle for IoT Standards and Protocols" "Make the Best of Your IoT Consortia Engagement" Evidence 1 K.J. Higgens. "New Internet of Things Security-Certification Program Launched." Dark Reading. 25 May "Cybersecurity, Securing and Protecting Products, Software and Infrastructure Against Cybersecurity Risks." Underwriter Laboratories. Page 8 of 10 Gartner, Inc. G

10 3 "Industrial Internet Security Framework Technical Report." Industrial Internet Consortium. Gartner, Inc. G Page 9 of 10

11 GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT USA Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Gartner Usage Policy posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Page 10 of 10 Gartner, Inc. G