Four Key Steps For Enterprise IoT Security

There’s been a lot of press recently about the problems of IoT security: easily hackable smart locks, as many as 100M Volkswagens at risk, vulnerable light bulbs, and even sex toys that spy on you.

Here are some key concepts for the future of IoT security in the enterprise:

First, IoT is going to save a lot of lives

It’s worth pointing out up front that the most direct result of IoT is much better physical security. Cheap, easy-to-install sensors means fewer surveillance vulnerabilities in critical infrastructure.

For example, Gooee provides intelligent sensors integrated with lighting systems to monitor activity, temperature, and more. When people break in, or there’s a fire or an earthquake is on its way, IoT means we can take action faster, saving assets and lives.

For example, as part of a Smart Cities initiative, SAP has been working with the city of Buenos Aires on a centralized city-wide dashboard showing real-time information from more than 700,000 different city assets. This includes flow sensors on the city’s water systems that proactively alert against floods that could endanger lives.

Almost every potential security threat can be minimized with the appropriate sensors. For example, gunfire locators can help alert crimes in progress: during the 2003-2004 Ohio highway sniper attacks, the FBI successfully used a ShotSpotter gunshot location system to find the shooter.

So if we’re worried about keeping people safe, and detecting toxins slipped into the drinking water, then IoT is a great answer.

But when everything is networked, everything is hackable

While physical security is improving rapidly, cyber security is a big and growing threat. IoT compounds all the security problems of traditional networks. There are many more potential points of entry, the tradeoff between security and ease-of-use/cost is more severe, and the devices themselves aren’t easy to patch when security flaws are discovered.

There’s no easy solution to these problems–the right approach is to double down on traditional security measures. Securing connected IoT devices is like trying to seal your house against insects. You have to take the usual measures such as blocking the biggest cracks and cleaning regularly–but some bugs are always going to get through.

Companies must continue to implement “basic digital hygiene”–the equivalent of locking the door twice and not leaving the keys around. But then they should expect to get hacked anyway.

To combat the inevitable hacks, there has to be a multi-layered approach to security. IoT security is like an onion–the more layers you have, the more you’ll make the hackers cry…

Don’t stint on security investments: get secure sensors from reputable companies, use isolated systems wherever possible, minimize data traffic and storage, use effective trusted certificates, employ tokenization, and adopt end-to-end encryption.

And perhaps most importantly of all: employ people who know how to put all this in place, and work with organizations that understand enterprise security and have been doing it a long time.

The future is about algorithmic security

New technology brings new opportunities–it’s time to take advantage of Big Data technology to improve IoT security.

Simple security is when an alarm is triggered and a guard intervenes. More complex security is more context-aware. For example, an alarm is triggered when the same personnel badge has been used simultaneously in two different electrical power stations. Or a badge has been used by somebody who is supposed to be on holiday.

This kind of security requires real-time access to enterprise systems to augment the sensor data. For example, AlertEnterprise, part of the SAP Startup program, uses the power of the SAP HANA in-memory platform to provide real-time security analysis, awareness, and prediction:

“Attacks are getting more frequent and more damaging. Key pieces of information lie in different systems and by the time the security teams piece together the puzzle, it’s too late. Enterprise Sentry consolidates critical information from underlying security tools and combines it with operational information to deliver a real view of what’s happening right now.”

Algorithmic security is the next level, and involves using Big Data analysis techniques on the millions of data points that can be collected from, say, an airport’s IT systems: door sensors, employee badges, flight rosters, cleaning schedules, luggage systems and more.

Using predictive algorithms, the system can learn what a “normal” day at the airport looks like, and then sound the alert whenever conditions differ from the expected pattern.  These are the kinds of techniques that are already used to detect suspicious financial transactions using SAP Fraud Management

Algorithmic security applies to IoT, too. There are many different ways systems can be hacked, and real-time anomaly detection is the ideal way of dealing with unknown new threats.

For example, there have been trials showing that the traffic lights in major cities could be manipulated, leading to traffic jams and worse. With algorithmic security, these sensor patterns would immediately show up as highly unusual and suspicious anomalies.

Cybersecurity is about people

It’s a cliché, but that doesn’t make it any less true: robust cybersecurity is much more about people and processes than technology.

Organizations need to concentrate on the most vulnerable part of any network: the people using it. The easiest and most effective way to improve cybersecurity is having the right processes and training in place.

Companies need effective governance, risk, and compliance policies that constantly evaluate and update your security. And ongoing training programs: systems like SAP SuccessFactors Learning Management can ensure that every employee has been certified on the kinds of social engineering that lead to network breaches.