The IoT is a turning point. It forces all players in the economy to completely rethink ecosystems in view of cybersecurity concepts. Industry is the number-one sector concerned. It must now provide for the incorporation of new constraints, which are subtle and mostly unknown, into its engineering and changes in its production to ensure the reliability and availability of tools. In the past, hacking was limited to an attack from the Internet or a USB key. Now, light bulbs, cameras and staplers must be covered by security governance. On the other side of the coin, the IoT is an exceptional opportunity for industries to renew themselves, rethink themselves and innovate so that they in their turn become the driving force behind the 4.0 era. The merging of Scala into IP will generate new products, engender new services and naturally lead to new business opportunities. Does this speed innovation up or slow it down? As the Cybersecurity Women’s Circle (CEFCYS) discussed at its 2016 annual conference, the IoT is of course a chance for industry competitiveness, provided that cybersecurity is part of it.
Governance, design, procedures, training and of course technology are the new tools that must now be made agile and compatible with this innovation. The challenge to be met to keep from slowing the organisation down is asking THE right question. This question consists of finding out what must be protected and maintained within the company versus what ultimately does not pose challenges for lack of value.
Data are becoming an asset in their own right, with a shifting status depending on their age, rarity and challenges. Identifying and distinguishing between what is sensitive and what is not is essential in measuring difficulty, cost and chances of success. This question must be asked in such a way that it is heard and understood by all stakeholders, that is to say, all employees, including labourers as soon as they have connected equipment, starting with smart badges.
With the question formulated, it should be decided, strategically, how to take on these challenges. There are two major approaches. The first is to consider that all company assets, connected or not, must fit into a security procedure. The reason for this is that things that are not connected today will be connected tomorrow. This involves taking IoT security into account in the design, installation and commissioning stages. This reality is necessary but not yet accessible. At present, IoT objects have an extremely high level of security failure. This may be accounted for by the haste of industry players to innovate at record speeds and place madcap yet brilliant offers on this emerging market with the goal of being the first. They do so at the expense of non-existent or nearly non-existent security design. This design is called smart fuzzing. It is a “black box” technique that identifies zero-day vulnerabilities in the communication protocols of the object. Today, major market players offer stricter equipment design. Beyond Security, for example, offers EDSA 2.0 certification to ensure US approval with its Securiteam.com database. These solutions known among the major players in the connected industry are still unknown among small, medium and large enterprises due to not only their cost but also a lack of regulations and an already outmoded European legislature.
The second approach, which is more agile, pragmatic and effective, consists of drawing up an internal security policy that singles out some assets. This type of policy has the advantage of creating less internal change and more simplicity in implementation and identifying what really needs to be protected. It is easier to protect one pocket than an entire suit! But which pocket?
Executives must engage in this internal reflection to ensure that best practices are incorporated into the organisation’s DNA. They should not hesitate to reconsider the organisation chart and create the new role of IoT CSO to assume the responsibilities that the CISO will not be able to cover. It is necessary to face facts. In industry, the IoT does not represent mere merging or technical changes. It is a new world that is opening up — a new world of genius and of risk. The human factor is the major challenge, by far, on the same levels as in aviation risk. This means that management must sacrifice more of its time to supporting people than to the budget for equipment which is often sufficient and already in place.
Cybersecurity is above all a human story. It is its weakest link. The weakest link in IoT cybersecurity is its open design and lack of certified architecture.
Now, before installing a connected light bulb in a meeting room, ask yourself how your IT governance will assimilate this component. You will see that it will not be able to do it. It is not ready — and for good reason, as it does not yet know what to cover and protect.
This year it is a paradox to be connected without losing sight of the fact that the IoT has not yet matured beyond its own Stone Age.