IoT security woes ‘solved by collaboration’
Cisco IoE chief urges operations teams to consult IT on new deployments
Security worries around internet of things (IoT) devices could be solved if operations teams worked more closely with IT teams, according to Chris White, senior vice president for the Internet of Everything, Cisco.
Speaking to ITP.net at Cisco Connect UAE yesterday, White said that operations teams - which he dubbed as the OT side of the business - often blindly accept internet-connected devices if they promise greater efficiencies, and do not consider the security implications.
"What we've seen actually is some of the OT departments, the operational side of the world, just accept internet-enabled devices, and they're not collaborating with the IT departments that realise that security is a key area that you have to architecturally design for," he said.
"One of the biggest retail hacks in North America last year was through the HVAC system, which connected to the internet, which connected to the point of sales system and blew it up."
However, White said that he was confident the IT and OT sides of businesses are beginning to converge. He said that operations teams are beginning to consult IT on smart device purchases, and that this is making for a safer environment in which to deploy IoT devices.
"What I'm optimistic about is that, as those worlds get closer together, you don't have almost naïve purchases of equipment with Ethernet ports or Wi-Fi access that you just configure to connect to the internet and open an organisation to attack," he said.
IoT devices have come in for plenty of criticism in recent months, with security experts accusing IoT vendors of not applying basic security policies to their products. At the beginning of 2015, a Sophos researcher, James Lyne, said that cyber-criminals would advance their IoT efforts from the proof-of-concept stage and turn them into mainstream attacks. This, he said, would be possible due to the increased uptake of IoT devices, and the lack of security standards on these devices.
While White did not comment on any specific devices, he explained that organisations should also focus on the overall security of the network from an architectural perspective. He said that security on individual devices would only provide a degree of protection, and that organisations need to look at the bigger picture.
"It's not just about making sure you've got the hottest firewall, it's making sure you design the network and the application and the software and the Wi-Fi to make sure it's as secure and scalable as possible," he said.
However, White did concede that many of Cisco's biggest IoT customers are in industries that traditionally aren't as IT-centric as others. However, in a later panel discussion at Cisco Connect, he said that, for many of these organisations, the benefits of adopting IoT technologies were beginning to outweigh the risks.
"There are always going to be bad guys out there," he said. "But take an offshore oil rig as an example. At the moment, you take samples, you package them, you put them on a helicopter, you fly them back to an expert. You've got millions of dollars of capital equipment lying idle. But what if I'm drilling oil in the North Sea, and I've got Ethernet connectivity at the drill bit, and I'm taking samples of what I'm extracting right there at source? I can then make an informed decision."
Cisco is currently one of the most vocal proponents of the internet of things, which the vendor describes as a part of the wider internet of everything (IoE). The difference, according to White, is that the IoE also encompasses a change in business processes that allows data from IoT devices to be analysed and then acted upon.