Who’s in Charge of IoT Security? The Role of the CSO Referee

IoT is creating a push-pull environment within organizations, with operations pushing to take advantage of IoT-enabled technology and IT pulling back due to security concerns.

Wes Woolbright is a Cybersecurity Solutions Specialist at Blue Ridge Networks.

The Internet of Things (IoT) has delivered huge benefits to organizations by enabling devices, people and servers to interact with each other, to enhance efficiencies, reduce operational costs and improve data-driven decision making, while also transforming the end-user experience. But, with all of the perks and potential benefits come internal challenges about how to secure IoT networks — and who is ultimately in charge?

IoT is creating a push-pull environment within organizations, with OT (operational technology) pushing to take advantage of IoT-enabled technology and IT pulling back due to security concerns. For example, imagine an OT department manager advocating for the deployment of IoT-enabled video surveillance. The benefits are hard to deny – having the ability to monitor facilities in real-time with smart security solutions could tremendously improve existing security processes. But, IT questions the security standards (or lack thereof) around the real-time data streaming via the surveillance devices. IT insists that adding security policies and processes is necessary to make the cameras a viable option. This additional layer could possibly slow down the data transmission speeds, but without it security for the whole network could be compromised. Neither option is ideal. So, who makes the call?

The clash between IT and OT teams is nothing new, and the catalyst for the conflict boils down to the simple fact that they are working towards different missions. With different end goals in mind, these teams can’t see eye-to-eye on how to most productively take advantage of IoT. This is where the CSO can step in to act as a referee and enforce cooperation, and push for an approach that enables the integration IoT-enabled devices into a network, without impacting network security.

To do so, CSOs should take a holistic view of the situation. A survey by Gemalto showed that 96 percent of enterprises lack confidence in the security of IoT devices. Potential security gaps leave the door open for cyber attackers looking to capitalize on new attack vectors, such as a poorly managed device. When these kinds of connected endpoints are exposed, attackers can work their way to the core of operations to extract information.

While IoT devices continue to advance, it’s critical to remember that they were not built for network security; they were purpose built to feed data quickly and efficiently. The devices are not inherently embedded with security principles in mind and, therefore, organizations should not assume that devices adhere to required security standards.

While it may be tempting to simply bolster the security of these devices with authentication or encryption solutions (of which there are plenty excellent options available), these products slow down the process of what IoT devices are meant to do. Consider a financial institution with a network of 1,000 ATMs. How would encryption and authentication be managed and monitored? At what cost to network and personnel resources? And most importantly, how would it impact the end-user experience and the ultimate goal of improved efficiency?

Traditionally, OT has tried to find viable ways to separate their environment while still being functional within an IT environment. However, maintaining security in today’s threat climate means that the most common methods, such as leveraging separate VLANs or creating separate infrastructures, have either sent operational costs through the roof or added significant and unnecessary network complexity.

To balance the missions of both OT and IT teams, CSOs can leverage network segmentation as a means of mitigating vulnerabilities without compromising performance. Employing this method makes IT and OT undiscoverable from each other, by completely isolating the OT that support enterprise operations. This can be done with minimal changes to the network — and how employees work — and without requiring massive amounts of personnel or financial resources to manage and configure.

Establishing a security solution that meets the needs of both IT and OT teams needs to be dictated from the top, down in order to reconcile between both departments By establishing a methodology that effectively ensures that networks are protected from vulnerable connected devices without affecting system functionality, both sides of the aisle can consider it a victory. IoT devices can operate as intended and IT and can be confident that critical operations are isolated and contained from cyber vulnerabilities.

Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating.

 

 

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish