The IoT Protection Challenge
A collaborative strategy is required between the device vendors and device operators in the field to manage cyber risks across the IoT industry. This supply chain begins in the fabrication lab of the semiconductor (chipset) vendor with a root-of-trust anchor (the secure element). The original equipment manufacturer (OEM) or original device manufacturer (ODM) must then integrate a root-of-trust anchor on the equipment (mezzanine board) as a contract manufacturer for the device vendors. The system integrator may then assemble hardened subsystem components from a plurality of device vendors for the specialized IoT industry. Finally, a device operator manages the operations, administration, maintenance and provisioning services.
With the advent of software-as-a-service (SaaS) utility models for capital and operational expense reduction, cybersecurity services for IoT devices will inevitably migrate to public, private, or community cloud-based IoT platforms. The passage from on-premise to on-cloud, and the adoption gap between the mainstream device vendors and the managed security service providers, needs to be bridged with a holistic cyber risk management platform that enables digital transformation in the IoT industry.
IoT Risk Matrix
The challenges, blockers to change, and the decisions required to embark on change vary across industry sectors. The policies and processes that have been engrained over decades of information technology (IT) dominance and stewardship may become the inhibitors of change without a strategy for change. The intrinsic nature of risks has changed and therefore the solutions must too.
Embracing digital transformation will require hardening the workflow and operations, and not clinging hopefully to out-of-date and cumbersome platform hardening guidelines. Security is not a point solution; it is a holistic chain – and it is only as strong as the weakest link in that chain. The effectiveness of security (from soft core to hard edge) requires baked-in controls; not bolted-on controls. The economics of security lies in multi-vendor collaboration as a forethought and not multi-vendor competition as an after-thought. The induction of modern controls must be strategic, measured and rational. Imminent risks have no term limits.
IoT Ecosystem Stakeholders
The IoT Ecosystem
The elixir to cure cybersecurity risks in IoT will require a prolonged and tenacious commitment to change. The rebirth of the Internet needs to be protection centric and must not relegate security initiatives to an IoT cottage industry in the wild that must defend against sophisticated cyber criminals and nation-state actors with reactive tactics. The transformative and economic potential of IoT requires both a microscopic and telescopic vision of cybersecurity. This has serious implications for cyber insurance companies as well.
The willingness of the insurer to pay off cybercriminals as a mitigation process for recovery of services and compromised devices will only encourage cyber-attackers – not discourage the cybercrime syndicate. If government regulators fail rise to the occasion and protect cyber commerce and data, the insurance companies will have to step up with guidelines for cyber resilience or suffer from the consequences of attacks on cyber infrastructure. Staying in the infinite game of cybersecurity, against a determined cyber adversary, requires the will and resources of all players in the supply chain.
The IoT Process