Last week (16th to 20th of April) was all about Internet of Things here in the Nordics. Our journey started from the Nordic IoT Week 2018 event in Finland where many of the industry leaders in the area gathered to discuss and exchange ideas. We followed up with the Nordic StrategyForum event focusing on IoT in Sweden. Somewhere in between, I had the opportunity to join the Yle TV1 morning show and discuss security and IoT from the perspective of consumers and their devices. I also had the pleasure to talk about what IoT and Terminators have in common at the Nordic IoT Week. Quite a bit, as it turns out.
Having spent most of the week talking about IoT from all angles and perspectives one could imagine, one thing is clear: IoT is here and everyone is doing it. From companies doing consumer devices to those working on industrial control systems and everything in between, the basic concept is the same: collect and utilize data, enable new capabilities for users and transform the existing business into something new. As innovative companies find new twists to apply to the formula, others soon follow.
As with any new ventures where companies are innovating and trying out new ideas, security is often neglected. With IoT, the demand is certainly there, and companies understand the need for it. Yet, to keep the focus on the huge transformation effort that is on-going, it’s often more important to get the new products out of the door than it is to ensure near-perfect security. In theory, this is a fair approach to take as long as there is an understanding that security must eventually enter the picture. However, that is easier said than done, as many of the insecure devices out there have shown.
Although, IoT is extremely diverse area and touches almost all business domains today, at the end of the day the technical designs look very similar. Out of all the diagrams that people from different companies drew to illustrate their approach to IoT architecture, they could have easily been explained by using a generic model with minor changes. There are some elements that change – what cloud service is used (if any), is there a separate edge gateway or are the devices themselves smart, and how complex is the network of devices. Yet, the fundamentals are all there in some form. This also helps with security – it’s easier to come up with good principles and apply them to the specific situation at hand.
One clear challenge for many large enterprises was to create a holistic plan for securing their IoT design. Since different components – cloud, connectivity, devices etc. – are owned by a different stakeholder in the company, it’s hard to create a plan that relies on collaboration and trust. For example, the connectivity team can’t assume much about the cloud or the device, leaving them to invent their own security model that only involves connectivity. When all the other teams do the same, the solution is both worse than something designed from top down but also duplicates a lot of effort that could happen just once. Smaller companies avoid this pitfall to a degree since those teams are often the same people.
Another challenge that many companies face is that they aren’t necessarily software development companies. IoT is the thing that enables (or forces) many of these devices on the Internet. In some cases, the devices may not even have any software in them to start with. As these companies embrace IoT and all that comes with it, they suddenly find themselves in a situation where they must learn about basic IT security – and quickly! Things, that rest of the industry that has been making software-based products for years, take for granted, may come as a total surprise when the existing business was mainly based on good old machines made of steel and plastic. Remote management and patching especially are hot topics that come with a range of security concerns to consider.
Few key takeaways from the discussions:
- Make sure your teams are talking and aligning their security approach so that the ends eventually meet and foundation of your security is shared and understood
- Talk to others in the industry – there is a tremendous amount of trial and error being done that can benefit you in form of lessons learned by someone else
- While security is important, it should not stop you from pursuing good business opportunities just because they come with new risks – you have security experts to worry about that part
- Equally important to securing the technology is considering what to do when something goes wrong – detection and reacting fast are your best friends as situations change
It looks like IoT will continue to dominate and drive development during 2018. We plan to be there to ensure that security works like a good butler – out of your way when you want to do something but ever present to ensure that things run smoothly.