By Gbemi Oladunjoye on December 17, 2015 21:48
There is a revolution underway that has the potential to be staggeringly transformational and, at the same time, highly disruptive; it is currently called the Internet of Things (IoT) trend. IoT (also referred to as “Internet of Everything”) devices have embedded network, computing and other information processing capabilities, which allow these devices to be interconnected. The number and types of devices that are being manufactured with these built-in IoT features are increasing rapidly. It is imperative to take notice of the IoT trend because it has a strong potential to redefine the Security risk equation within many enterprises.
This growing internetwork of “things” comprise of physical objects with the capability to communicate in new ways—with each other, with their owners or operators, with their manufacturers or with others—to make people’s lives easier and enterprises more efficient and competitive. The possible use cases for IoT are extensive and growing by the day. Already, automobiles, household appliances, biomedical devices and other purpose-built devices are processing data, communicating with each other and performing other automated tasks, such as keeping themselves updated, notifying users of potential repair issues and tracking (and potentially scheduling automatically) routine service calls. Less predictable use cases include smart utensils that help to monitor eating habits, smart socks that measure pressure to help improve running performance and a “smart diaper” that notifies parents when it needs to be changed.
The “Internet of Things” generally refers to physical objects that have embedded network and computing elements and communicate with other objects over a network. The definitions of IoT vary about the pathway of communication. This made some definitions to state that IoT devices communicate over the Internet; others definitions state that IoT devices communicate via a network, which may or may not be the Internet. This technology is evolving faster than most can keep up with all the reports that are published.
Some argue that, it is also a misnomer to keep referencing it as the IoT when, in progressively more instances, the Internet is not even involved. It is becoming more like the Network of All Things (NoAT), with more capabilities that are emerging for smart devices to communicate directly with each other in ways that go beyond the long-standing peer-to-peer (P2P) communications. And as these new technologies emerge, many are not being designed under any existing legal requirement to include security and privacy controls. For example, wearable fitness devices, home energy controllers, driverless and Internet-connected cars, smart watches, and many others seem to be designed with an ultimate goal of being newsworthy for how much data they can collect, analyze and share, without the auspices of virtually any regulatory authority to establish a minimum set of security and privacy controllers.
Although the IoT trend is transformative from a business standpoint as business value and organizational competitiveness can be directly derived as enterprises capitalize on these new capabilities to gain more and better business value from devices that they purchase. Additionally, businesses can compete more effectively in the marketplace as they provide these features in products that they sell and incorporate them into service offerings that they provide. Nevertheless, establishing security and privacy requirements for these growing numbers of personal smart devices is needed yesterday but, unfortunately these devices are being manufactured and introduced to the market faster than their corresponding security, privacy and governance/regulatory requirements are evolving.
With these additional value comes additional security risk or at least, new avenues of possible security risks. Devices with “always on” network connectivity are enabling new types of attacks that have not been seen in the past; these devices represent a new set of targets for potential data exposure and crime. Moreover, without appropriate planning and forethought, these devices could have privacy impacts that are beyond the customer comfort level. The ramification and adoption of IoT is fast changing the risk/value equation for many practitioners that hold stakes in the trust and value of information and information systems. This means that risk decisions would inevitably need to be revisited. The embedded network and computing capabilities is fast becoming more and more commonplace, creating a demand for the need to rebalance related risk/reward decisions. Along with that is the need to adjust how these devices fit into their overall management and governance approach and to ensure that the security of these devices is addressed and implemented.
Holistic risk management, ideally, should account for the upside potential of the technology use (i.e., new value enabled through the use of the technology) and possible new risk that is introduced by using the technology. Thinking these areas through ahead of time—before the technology is actively proliferating throughout the enterprise—helps enterprises to be more strategic by accounting for potential areas of adoption in their enterprise risk planning. Practitioners can plan ahead because they can start to invest now in areas to help them to maximize investment— and decrease risk—as IoT use increases, this would require the evaluation and understanding of the potential value to the enterprise and the potential new risk that gets introduced as well.
Research conducted by Pew Internet in association with Elon University suggests that this technology is emerging at a fairly rapid rate and that significant change will transpire. The researchers surveyed a population of “technology experts and/or industry stakeholders”; 83 percent of those they surveyed envisioned widespread, transformative and beneficial impacts on the technology ecosystem due to the emergence of IoT by the year 2025.
Although this widespread transformative change may take a few years to be fully realized, the beginning changes are taking place now. For example, the healthcare vertical has used embedded connectivity and computing components for many years. Biomedical devices (including implantable devices), such as pacemakers and insulin pumps, and diagnostic equipment, such as imaging equipment, not only have the capability to communicate with each other and the outside world, but also have built-in computing elements to automate certain tasks. An implantable defibrillator can have the capability to share diagnostic information wirelessly with medical personnel and also have computing elements that help to make the determination about when defibrillation is necessary. Household appliances are now available that can automatically schedule repairs or routine service with minimal (or no) user intervention, wearable devices can track their wearers’ physical activity (to let them know whether they are leading a healthy lifestyle) and automobiles have computerized navigation, accident prevention and fuel efficiency features. Most newly manufactured automobiles have at least three to four (3 – 4) IP addresses embedded in their systems.
Other industries have similar special-purpose devices that have embedded computational and/or networking capability. Examples include retail point of sale (PoS) systems, energy and manufacturing industrial control systems (ICS), and Communications Company switching and routing equipment. One difference between these “purpose-built” embedded systems that are already in use and the IoT concept described in this paper is the ubiquity of the technology and the scale of such endeavors. As the cost of IoT technology decreases, the number of possible use cases that integrate embedded components increases to the point where IoT technology can be economically incorporated into more large appliances and vehicles, and, ultimately, into smaller, lower-cost items, such as wearable objects In many respects, IoT is less “emerging” than it is “emerged” and already building traction. Meaning, by many indicators, IoT has already arrived in force. Analyst firm International Data Corporation (IDC) estimates that the 2014 install base is approximately 190.1 billion unique devices, with a market size of just under $6 trillion in total revenue ($5,942.4 billion USD). IDC expects those numbers to increase to 211.9 billion installed end points and about $9 trillion ($8,852 billion USD) by 2020, which is an anticipated growth rate of 7.9 percent, year over year.
According to the 2014 ISACA Risk/Reward Barometer, a survey of global ISACA members in 110 countries, 43 percent of businesses are already addressing IoT: 28 percent already have plans in place to leverage IoT, while another 15 percent will be creating those plans in the next 12 months (see figure 1 below).
Internet of Things can be a powerful concept. However, like any new technology deployment, risk must be very well evaluated holistically to ensure that business value is maximized while risk is minimized. The best way of evaluation should be through collaborative efforts among all stakeholders, including business teams, compliance, operations, information security, privacy and all other pertinent areas.
IoT has the potential to be huge and is already changing the way people live, work and play. Its advantages are numerous and can be life changing and lifesaving. IoT is fast evolving and already ubiquitous, although most people are unaware.
References: ISACA Paper on Internet of Things: Risk and Value Considerations
ISACA Journal Volume 6, 2015: The Criticality of Security in the Internet of Things