Internet of So Much Stuff: Don't wanna be a security id-IoT

IoT is not the same as IT... normal infosec does not pply

Michael Dell, chairman and CEO of Dell Technologies, last month announced a $1bn investment in IoT R&D over the next three years.

What does $1bn buy you in IoT? A new IoT division, to be run by VMware’s CTO Ray O'Farrell, a bunch of new IoT-focussed projects including Project Iris - an under wraps RSA security development - and some collaborations for things like processor accelerators to “increase the velocity of analytics closer to the edge.”

Dell talked a lot about the edge during its event - citing autonomous vehicles, factory automation and drones as examples of how computing is going back to the old distributed model again. In truth, Dell’s happy hunting ground. Nothing new here of course.

There are already plenty of examples from Dell, GE Digital and others showcasing the value of sensors and connected devices in making predictive analytics possible, for improving maintenance and support and keeping industry machines whirring for longer. Everything is connected.

Dell's money comes as Gartner has forecasted that 8.4 billion connected things will be in use worldwide in 2017, up 31 per cent from last year, and will reach 20.4 billion by 2020. Total spending on endpoints and services will reach almost $2 trillion in 2017. This is a huge market for vendors and typically they want to capture market share early – but at what cost to the longer term security of the technology?

Yes, security.

Fear the reaper...

Daily, it seems, we receive reminders of the vulnerability of connecting so many disparate devices – currently around 20 billion, according to Statista. Claims by a number of security firms that the Reaper Botnet is already compromising IoT devices in readiness for an attack on internet hardware and services, are hard to ignore, although as yet unproven. It follows a number of high profile IoT-related security breaches over the past couple of years including the Mirai botnet attack last year and there is clearly concern.

So how much of the $1bn is Dell pumping into security? O'Farrell will not be drawn on specific figures or percentages, saying “security will definitely be a priority area for investment." It would be mad if it wasn’t.

O’Farrell talked up Project Iris, using IoT operational and security analytics to profile devices, while baselining normal behaviour and detecting and alerting on anomalous activities and compromised devices. The aim, according to O’Farrell, is to: “Leverage machine learning and with no requirement to changing the edge devices, Iris can secure large deployments of sensors and actuators.”

Hey, IoT vendors. When a paediatric nurse tells you to fix security, you definitely screwed up

READ MORE

Er, OK, but what about something tangible and cross-industry like IoT security standards?

John Moor, managing director of the IoT Security Foundation - an organisation born out of a Bletchley Park security summit in 2015 - reckons there’s a lot of confusion when it comes to standards in IoT. What we currently have is a lot of “suggestion and solutions, some useful, some not, some bewildering,” he tells The Reg.

You gotta have standards... do you, though? Do you really?

“As we’ve seen the Gold Rush towards IoT, many have made the comparison to the Wild West,” says Moor. “This then usually translates to a call for regulation – but we need to be careful we do not over-compensate. The scale and scope of IoT, together with the basic observation that ‘security is context dependent’ and therefore ‘no universal security solutions exist’– means that ‘IoT security is a wicked challenge’.”

The call for standards is not surprising. We are faced with a barrage of IoT marketing at the moment but it’s surely built on sand. Do we have to rely on vendor-specific ecosystems to get any sort of security ‘guarantee’ or will we ever reach a point at which the marketing actually delivers viable products with recognised security standards?

O’Farrell seems to echo this need for solid standards.

“However, we believe that the true potential of IoT can only be unlocked when IoT is a complete, interdependent ecosystem, one in which connected things, infrastructure, artificial intelligence and machine learning will all come together to make things smarter,” he told The Reg.

Naturally, of course, Dell Technologies is that ecosystem as far as O’Farrell is concerned although GE Digital among others would argue otherwise.


Biting the hand that feeds IT ? 1998–2017