KuppingerCole Analysts' View on Things Security



Approaching the Internet of Things Security

Alexei Balaganski

As already discussed in one of our earlier newsletters, Internet of Things as a concept is by no means new – various smart devices capable of communicating with each other and their operators have been used in manufacturing, automotive industry, healthcare and even at home. These “Things” range from popular consumer products for home automation to enterprise devices like RFID tags all the way through to industrial sensors controlling critical processes like manufacturing or power generation. There is actually very little in common between them other than the reliance on standard network protocols for communicating over the existing Internet. Oh, and the complete lack of security.

Unfortunately, for decades, security for most embedded hardware vendors has always been an afterthought. Companies designing consumer products were more interested in bringing their products to the market as fast as possible and industrial control system vendors seemingly still live in an alternate universe where industrial networks are isolated from the Internet. In our reality, however, things have already changed dramatically. Simply because of the sheer scale and interoperability (at least on the network protocol level) that define modern IoT, it introduces a substantial number of new risks and attack surfaces.

First, the vast number of IoT devices out there makes it increasingly difficult not just to control and manage them, but also to update them if a vulnerability is discovered (if the device in question supports updates at all). Also, proliferation of connected devices greatly increases the chances for hackers to compromise a less reliable device and use it to navigate around the network to attack other devices.

Another obvious challenge is that the safety issue becomes much more critical. If a medical device like a pacemaker or an insulin pump is hacked, a patient’s life is at stake, not just his health record. A compromised connected car can cause traffic accidents. An attack on a piece of industrial equipment can cause critical disruptions or lead to industrial disasters (and even if no lives are lost, financial and legal consequences will be huge anyway).

Identity and privacy implications of the IoT proliferation can be massive as well. The information that can be leaked or stolen from unprotected smart sensors is much more sensitive than, say, your email account. Health records, location and habits history, home surveillance – all this data has to be protected accordingly. Solving the identity management challenge on the global scale is a separate and very daunting task, which vendors are only beginning to tackle.

However, although security experts have long realized that IoT has no room for weak security, this mindset is yet to catch on among the IoT manufacturers. Many of them either have no expertise in security or cannot afford spending much on it (this is especially true for consumer products built upon existing commodity hardware from third party manufacturers). Lack of established standards and protocols is another inhibiting factor.

So, where do we even begin to address these problems? On one hand, it seems that IoT device manufactures are primarily responsible for making their products more secure. Security by Design and Privacy by Design must become mandatory parts of their design processes. Vendors have to incorporate security features into their solutions on all levels from device firmware to service provider infrastructures to training their employees accordingly. They also must minimize data collection and store only the information that’s required for their devices to function and ensure that all applicable privacy regulations are addressed. Finally, they must provide continuous security updates and patches for the whole lifecycle of their products. Obviously, they must be both incentivized by government agencies for complying with these requirements and punished for violating them. They should also look to join various industry groups and technology alliances to get access to the latest standards and best practices.

However, it’s also obvious that we cannot rely on the vendors alone to address this massive and multifaceted problem. Designing a proper security infrastructure for modern “hyperconnected” businesses requires a holistic approach, where various security, privacy-enhancing and identity management solutions are operating in accord, orchestrated and monitored from a central management console. Emergence of new standards and open APIs in the IoT field to support such scenarios is therefore critical. Providing flexible identity management and fine-grained access control is especially important here, and many existing IAM tools are yet to be adapted to support the sheer scale and inherently heterogeneous nature of the Internet of Things.

It is also worth stressing that solving the IoT security challenge isn’t limited by addressing technology issues. To fulfill the often conflicting requirements and expectations of all parties involved, a lot of legal and liability issues have to be solved as well. And there are many more parties involved than many expect. For connected vehicles, for example, we have to think not just about relationships between car manufacturers and drivers, but also about insurance companies, auto mechanics, environmental protection agencies and, of course, the police.

Last but not least, we always have to think about consumer’s choice and consent. Giving users control over collection and sharing of their sensitive personal data by IoT devices can be not just a great business enabler for device manufacturers, but also a strong security and privacy-enhancing factor.

In the end, the Internet of Things is here to stay. It provides a great number of new opportunities, but introduces quite a number of new risks. These risks can only be addressed by the combined effort of IoT device manufacturers, “traditional” IT security and IAM vendors, technology alliances and standards bodies, governments and end users. Only together we can ensure that “Industry 4.0” won’t one day turn into “Skynet 1.0”.


Security is part of the business. Rethink your organization for IoT and Smart Manufacturing.

Martin Kuppinger

IoT (Internet of Things) and Smart Manufacturing are part of the ongoing digital transformation of businesses. IoT is about connected things, from sensors to consumer goods such as wearables. Smart Manufacturing, also sometimes titled Industry 4.0, is about bridging the gap between the business processes and the production processes, i.e. manufacturing goods.

In both areas, security is a key concern. When connecting things, both things and the central systems receiving data back from things must be sufficiently secure. When connecting business IT and operational IT (OT for Operational Technology), frequently systems that formerly have been behind an “air gap” now become directly connected. The simple rule behind all this is: “Once a system is connected, it can be attacked” – via that connection. Connecting things and moving forward to Smart Manufacturing thus inevitably is about increasing the attack surface.

Traditionally, if there is a separate security (and not only a “safety”) organization in OT, this is segregated from the (business) IT department and the Information Security and IT Security organization. For the things, there commonly is no defined security department. The logical solution when connecting everything apparently is a central security department that oversees all security – in business IT, in OT, in things. However, this is only partially correct.

Things must be constructed following the principles of security by design and privacy by design from the very beginning. Security must not be an afterthought. Notably, this also increases agility. Thus, the people responsible for implementing security must reside in the departments creating the “things”. Security must become an integral part of the organization.

For OT, there is a common gap between the safety view in OT and the security perspective of IT. However, safety and security are no dichotomy – we need to find ways of supporting both, in particular by modernizing the architecture of OT, well beyond security. Again, security has to be considered here at any stage. Thus, execution also should be an integral part of e.g. planning plants and production lines.

Notably, the same applies for IT. Security must not be an afterthought. It must move into the DNA of the entire organization. Software development, procurement, system management etc. all have to think about security as part of their daily work.

Simply said: Major parts of security must move into the line of business departments. There are some cross-functional areas e.g. around the underlying infrastructure that still need to be executed centrally (plus potentially service centers e.g. for software development etc.) – but particularly when it is about things, security must become an integral part of R&D.

On the other hand, the new organization also needs a strong central element. While the “executive” element will become increasingly decentralized, the “legislative” and “judicative” elements most be central – across all functions, i.e. business IT, OT, and IoT. With other words: Governance, setting the guidelines and governing their correct execution, is a central task that must span and cover all areas of the connected enterprise.



IoT in industrial computer systems (ICS)

Graham Williamson

IoT, the Internet of Things, covers a wide range of technologies. My Fitbit e.g. is an IoT device, it connects to my smartphone which formats the data collected on my movements. Also, vehicles that communicate with diagnostic instruments and my home thermostat that I can control via the Internet are IoT gadgets.

This article, however, is concerned with a very particular type of IoT device: a sensor or actuator that is used in an industrial computer system (ICS). There are many changes occurring in the Industrial computer sector; the term Industry 4.0 has been coined as a term to describe this 4th generation disruption.

A typical ICS configuration looks like the following:

  • The SCADA display unit shows the process under management in a graphic display. Operators can typically use the SCADA system to enter controls to modify the operation in real-time.
  • The Control Unit is the main processing unit that attaches the remote terminal units to the SCADA system. The Control unit responds to the SCADA system commands.

The Remote Terminal Unit (RTU) is a device, such as a Programmable Logic Controller (PLC), that is used to connect one or more devices (monitors or actuators) to the control unit. It is typically positioned close to the process being managed or monitored but the RTUs may be hundreds of kilometres away from the SCADA system.

Communication links can be Ethernet for a production system, a WAN link over the Internet, a private radio link for a distributed operation or a telemetry link for equipment in a remote area without communications facilities.

So what are the main concerns regarding IoT in the ICS space? As can be seen from the above diagram there are two interfaces that need to be secured. The device to RTU and the fieldbus link between the RTO and the Control Unit.

The requirement on the device interface is for data integrity. In the past ICS vendors have relied upon proprietary unpublished interfaces i.e. security by obscurity. This is not sustainable because device suppliers are commoditising the sector and devices are increasingly becoming generic in nature. Fortunately, these devices are close to the RTU and in controlled areas in many ICS environments.

The interface to the Control Unit is typically more vulnerable. If this link is compromised the results can be catastrophic. The main requirement here is for confidentiality; the link should be encrypted if possible and this should be taken into account when selecting a communications protocol. Manufacturing applications will often use MQTT which supports encryption, electrical distribution systems will often use DNP3 which can support digital signatures, in other cases poor quality telemetry links must be used in which case a proprietary protocol may be the best option to avoid potential spoofing attacks.

One big benefit of the current developments in the ICS sector is the increasing support for security practices for operational technology. Whereas in the past there was a reliance in isolation of the ICS network, there is now an appreciation that security technology can protect sensitive systems while enjoying the benefits of accessibility. In fact, both worlds can be seen as siblings, focused on different parts of the enterprise. There already exist promising possibilities to enable this duality, e.g. this one. But understanding the technology is also important: One home automation equipment supplier released a line of sensor equipment with an embedded digital certificate with a one-year validity.

Conclusion: Despite all – yet partly unseen – benefits of connected things, there are still many pitfalls in vulnerable industrial networks and there is a massive danger of doing IoT basically wrong. The right path has still to be found and the search for the best solutions is a constant discovery process. As always, one of the best ways to success is sharing one’s experiences and knowledge with others, who are on the same journey.

What are your thoughts on #iotsecurity?

Join the discussion and share your comments
on KuppingerCole Blogs or on Twitter @KuppingerCole

Related KuppingerCole Events

Related KuppingerCole Research

Related KuppingerCole Podcasts