Implementing an IOT Security Ecosystem

SecurBayIOT security

Over the last few blogs we have covered various dimensions of cybersecurity in Internet of Things.  In the last two blogs, let us look at some of the key factors that one should consider while creating Cyber Security Ecosystem.  We also realize that one should look at an ‘Ecosystem Manager’ in our last blog.

The large ‘IOT ecosystems’ that will be created right from the sensors to the data stored in the  

Following are some of the steps to be considered.

Establishment of IOT Security Ecosystem (IOTSE):  Define components of an IOT security ecosystem.  This will enable one to understand the flow of data, rules and decisions, exceptions and feedback mechanism, and identify vulnerable points.

Engage the stakeholders:  Each component of the IOT Security Ecosystem (IOTSE) needs to be associated with a stakeholder.   This person becomes the subject matter connect between the component’s performance and the security aspects of the IOTSE.

IOT security is to be included in design stage and component level

Identify the Ecosystem manager:  It is important to identify one ecosystem manager, very similar to a CISO in an IT ecosystem.  The IOTSEM – is the person who works with all the ‘component stakeholders’ to deploy, track, train and maintain the security aspects of the IOTSE.

Include Security at the design stage:  Security is not an afterthought.  As one builds an IOT based solution for a consumer, social or an enterprise ecosystem, security is an upfront consideration.  The idea is to adopt a security-by-design approach, as suggested by a Federal Trade commission paper.

Analyze Risks at various levels:  The IOTSEM should analyse vulnerabilities at components, functional, interface and process level, and identify threats affecting them.  This will provide a comprehensive risk analysis input that will be key in planning risk mitigation.

Adopt a defense in depth approach:  The weakness of an ecosystem is based on its weakest component.  And this weakness could vary depending on situation.  Hence a component level defense mechanism needs to be implemented and tracked and the component stakeholder made accountable for the monitoring and response.  The component could be the sensor, network, data store or the user interface.  

Implement a Periodic review:  A formal review mechanism of the events, non-events, global trends and relevance, updates / upgrades should be done by the IOTSEM with the component stakeholder.

The above suggestions are by no means a full-fledged security guideline document.  However, these are factors that are inevitable as one traverses along the IOT Security Ecosystem.