possibilities of IOT · From measuring to rethinking reality, IoT is a journey full of...
40
Securely Unleashing the endless possibilities of IOT Internet Of Things
Transcript of possibilities of IOT · From measuring to rethinking reality, IoT is a journey full of...
Securely Unleashing
the endless possibilities of
IOT
Internet Of Things
Internet Of Things
CONTENTS
Executive Summary
Why Telefónica
Security Becomes ever more Paramount
The Telco Approach: A model for securing the IoT Ecosystem
Telefónica’s IoT Security Value Proposition
Conclusion
Gartner Research
3
4
6
11
17
26
27
Executive summaryThe term Internet of Things (IoT) has become a buzzword in recent years, sharing the limelight with other technologies that are enabling the digital transformation across every aspect of our lives. Despite its novelty, IoT has grown faster than any previous communication technology, and associated challenges and learnings have emerged at that same speed. This had led to a rapid general awareness of security as a priority for main IoT players.
An outline of the current status of IoT opens this report. We will then present our specific approach model and value proposition for IoT security. This is underpinned by three key pillars, and is delivered with a portfolio of core security capabilities and cybersecurity services. Given that connectivity is present through the entire IoT journey, we address security issues as a whole, following a comprehensive approach to deliver end-to-end IoT security propositions to our customers.
Internet Of Things
“ …endless possibilities that it can bring to improve our lives.”
WHY Telefónica?THREE KEY PILLARS UNDERPIN OUR IOT SECURITY VALUE PROPOSITION:
A comprehensive portfolio to deliver E2E security propositionsIoT services share all the security challenges that traditional IT services have and add new ones derived from the specific limitations of IoT devices. Therefore, offering an E2E security proposition for IoT requires a comprehensive portfolio that includes:• Security products, that can be deployed
within the infrastructure and whose operation is based on repetitive and procedural tasks that can be performed by traditional Security Operation Center (SOC) teams.
• Cybersecurity services, where the key element is the team, which is composed of highly skilled cybersecurity specialists.
• Consulting services, that can provide support during the pre-sales stage to understand the specific needs of the customer and build the right proposal, combining the P&S of the previous two bullets.
Leveraging the network and platformsMobile Network Operators (MNO) have native advantages for providing security to the IoT ecosystem. At Telefónica, we have developed the Kite Platform, which runs over the network infrastructure and leverages its core capabilities. It is a managed connectivity platform that improves customers’ productivity and connectivity cost management, and increases security for their IoT deployments.
Nobody can do it alone; a robust
partnership network is essential
The IoT is a fast moving, rapidly evolving ecosystem that opens up a wide range of
new opportunities. In just a few years, it has evolved from a machine-to-machine (M2M)
paradigm focused on B2B and vertical use cases, to a smart environment with millions
of cellular connections, an emerging B2C application and an increasing range of
standard definitions. The future seems to be even more complex, with billions of
connections and thousands of applications on B2B, B2C and B2B2C.
This environment of constant change, together with the extremely long IoT
ecosystem value chain makes matching security requirements an impossible
task for a single company. Therefore, it is crucial to create an active and dynamic partnership ecosystem that can attract
talent, technology and investment to face this challenging environment.
Internet Of Things
From measuring to rethinking reality, IoT is a journey full of possibilitiesThe IoT represents a very broad concept that includes any network of devices, such as vehicles, home appliances, electric or water meters, and other items that communicate across the internet without human intervention. These devices share information collected from sensors, or send commands to actuators that are close to or embedded on them.
Gartner estimates there will be approximately 20 billion connected IoT devices by 2020; others project much higher numbers. In the near future, this vast number of devices will surround us, collecting data about our different activities and interacting seamlessly with us.
This scenario reveals endless possibilities for improving internal business efficiencies, delivering better customer experiences, building new services, and transforming business models.
Unleashing the full potential of any of these business opportunities requires a smart combination of a multidisciplinary set of technologies. In fact, according to social media analyst company ZK Research, we are living in the middle of a “perfect storm”, similar to the one that kicked off the internet era, and that is now driving the growth of the IoT. It consists of several factors: digital transformation; low-cost sensors; standardization to Internet Protocol; the growth of Big Data; the rise of social media; and Cloud Computing.
Internet Of Things
“ Gartner estimates there will be approximately 20 billion connected IoT devices by 2020; others project much higher numbers.”
*Source: Gartner, Address Cybersecurity Challenges Proactively to Ensure Success With Outsourced IoT Initiatives, DD Mishra, Earl Perkins, Stephanie Stoudt-Hansen, 5 June 2018
“ …complex due to lack of standardisation across the devices...”
From improving the efficiency of a business to opening up new business opportunities, the advantages of embracing the IoT are so huge that every company or sector will benefit from its adoption sooner or later. As more and more companies base their businesses on the IoT infrastructure, security becomes ever more paramount. At the same time, the growing presence of IoT will also increase the awareness of security needs, and will boost the development of tools and solutions from every aspect of the world of IoT.
The rapid growth of IoT will also be reflected in the evolution of security. This has happened many times before, such as when the expansion of the automotive industry instigated the transformation of roads into safer motorways.
The IoT journey spans across many different areas, and whilst each of these has its own particular features to be specifically analysed, they all share a key commonality: the need to provide network connectivity to the devices, with IoT platforms that process sent information and enforce applied actions. This constant presence enables Telefónica to look at the big picture and wider approaches to the IoT security issue as a whole, filling the gaps between the specialists at every step of the journey.
Internet Of Things
Security becomes ever more paramount
Key aspects in securing IoT services With every new technology there are new challenges, largely due to the great number of players involved at each stage of progression. As the new technology is adopted by more and more users, the offering becomes clearer and the remaining products and services are those that give the best, most reliable experience at every level. Within the IoT environment the maturity of products and services is increasing every day. IoT designers, developers and users now fully understand which objectives are critical for mass adoption, and the whole IoT industry is advancing in the same direction. Reduce diversityThere are many diverse IoT devices available and most of them have different hardware, firmware, operating systems and other needs to be addressed. Much effort is currently being directed towards improving compatibility and standardization across the devices.
New long-life batteries specific for IoT devicesDevices with limited CPU or battery life may face difficulties running certain processes. Being able to process huge amounts of data in real time is also an issue to consider, as well as how to manage, monitor and maintain such a high number of heterogeneous devices.
Ensuring device authenticationConnecting devices that have not been connected before reveals that they were not designed with security in mind. It is vital that device manufacturers provide security mechanisms that are able to respond quickly to incidents and, at the same time, have resilient capabilities to overcome them. Finally, many of these devices have long life cycles, ranging from 15 to 20 years, and require designs and procedures that ensure maximum security during the whole lifetime.
Therefore, a redefinition of basics will lead to a more secure IoT landscape. Most of what is required – such as edge protection, proper identity, access management mechanisms and data protection – is similar to traditional IT security, but needs rethinking and adapting.
Internet Of Things
“ Cybersecurity is now undoubtedly considered as a key aspect for any IoT device or solution…”
LEARNING FROM THE BEGINNING The uprising of a new technology opens up the doors for a world of possibilities that expands at every use. This first “big bang” moves so fast that some may find security breaches, but within the digital environment there is a common global awareness about security issues from the acquired experience with previous IT developments. Therefore, learnings have been rapidly adopted by main IoT providers since the very first incidents. Cybersecurity is now undoubtedly considered as a key aspect for any IoT device or solution from the very beginning.
Software providers must be thoroughly chosenConnected cars are governed by software code just like computers or smartphones connected to the internet. Hence, they require similar security mechanisms and should be updated and protected
to avoid exposing vulnerabilities that might have catastrophic consequences. In many cases this software is supplied by the car’s manufacturer, which means that software providers must be considered in their supply chain risk management as thoroughly as any other provider.
Keeping this in mind is key to neutralising attacks such as the one in 2015, when security analysts were able to remotely control a car by exploiting a zero-day vulnerability. They were able to hack the entertainment system that runs on a Linux operating system, as had already been shown in other car models. In this case, they were also able to send commands that performed different actions, such as beeping the horn, pulling the seat belt or even disabling the brakes. They accessed many of these on-board components via the CAN bus, the internal network of the car that controls many of the components electrically, thus giving them control of the multimedia system.
Internet Of Things
Internet connected devices require the same security controls as any PC or smartphoneSome devices, such as IP cameras, are based on operating systems that are no different from that of a traditional computer or smartphone, and therefore have similar security requirements.
In the connected PC era, automatic software and antivirus updates have become essential security tools and mechanisms; their introduction marked relevant changes in the dominant operating systems and the birth of free antivirus software. Since the IoT device market is still fragmented, these solutions are tougher to apply, but are even more necessary.
Efficient security controls were not in place in 2016 when the self-propagating Mirai botnet infected devices using a procedure as simple and common as default credentials testing. The attack was addressed to Dyn, one of the most important DNS hosts at the time. It affected sites such as Twitter, Spotify and Github, rendering them unavailable for several hours. Mirai botnet had been specially designed to target IoT devices using two main components. On the one hand, it had a scanner that continually searched for new IoT devices to be compromised. On the other hand, its command and control center sent instructions to launch attacks against victims.
Internet Of Things
“ affected sites such as Twitter, Spotify and Github, rendering them unavailable for several hours...”
Internet Of Things
When connected to the internet, no device can be ignoredA system or infrastructure is only as secure as its weakest link. We cannot ignore devices that seem irrelevant to the business if they are connected to the internet. A seemingly innocuous device can be the gateway for cyber-attackers.
Take a thermometer, for instance. After hacking the internet-connected thermometer of a fish tank, cybercriminals were able to access the manufacturer’s entire corporate network from the device and infiltrate its customer database.
The main learning from these three cases is that security needs for IoT are no different to traditional security needs. Although the IoT has particular features that will require ad hoc solutions, IoT service ecosystems share Cloud infrastructures, and a complete E2E package will require adding some traditional solutions in order to provide comprehensive security proposals.
We have not reduced our daily use of the internet or the smartphone for security reasons; rather, we have strengthened our defences and remain vigilant. The immense possibilities of IoT are an even greater incentive to keep progressing in this way.
The TELCO approach: A model for securing the IoT ecosystem Although it is generally accepted that an in-depth security analysis requires consideration of each specific vertical, it is possible to define a horizontal model to set the common framework for the IoT paradigm. Figure 1 represents an IoT model based on the one proposed by the GSMA. The architecture of IoT services can be generally represented with three key groups of components: endpoints, networks, and platforms.
ENDPOINT SECURITY
Devices
Internet Of Things
NETWORK BASED SECURITY
Networks and Managed connectivity
We can leverage on the networks to reduce complexity on the endpoint and secure its integration with the service platform
SERVICE PLATFORMS SECURITY
Platforms and Applications
• Diversity of platforms• ElevenPaths product
portfolio and capabilities
• Limited resources• Remote operation• Long life cycles
IoT SPECIFIC SECURITY CHALLENGESMust address the IoT scale and limitations
TRADITIONAL IT SECURITYKnown field but must be done properly
Figure 1. IoT security model
The endpoint ecosystemThe endpoints – which are the IoT devices – are usually geographically dispersed and fundamentally send information from the sensors to the platform that enforces the requested actions. From a security perspective, the endpoints have some key limiting features that must be considered:
• They have limited processing and battery resources, which makes adding security capabilities (such as data encryption) more challenging.
• In most cases they must be remotely operated due to geographical dispersion, which requires secure mechanisms for remote monitoring and management.
• Most endpoints are physically accessible to an attacker. This means they require secure designs that protect the devices from physical manipulation.
• These devices also have long life cycles that can reach up to 10 years, and require specific security mechanisms and procedures to ensure resiliency of the IoT infrastructure.
However, there is also another feature that represents an advantage from a security perspective. Unlike multipurpose devices, such as smartphones and computers that can host a wide range of applications with different communication patterns, IoT devices tend to focus on very specific applications. This simplifies the profiling of the device and, hence, the detection of anomalous activity.
Internet Of Things
The IoT service ecosystemOn the other side of the model we have platforms, which can be both in the Cloud or on-premise, and have many additional features and capabilities to facilitate the interaction with IoT devices and the development of services. Currently, there is a great diversity of Cloud platforms, whose main representatives are Amazon Web Services (AWS),
Google Cloud Platforms, IBM Bluemix, and Microsoft Azure. Apart from the diversity among them, which forces developers and engineers to define different security mechanisms, there are few security mechanisms that leverage network capabilities for IoT infrastructures. Reinforcing these could simplify and enhance their implementation and configuration.
Internet Of Things
“ …which forces developers and engineers to define different security mechanisms…”
Internet Of Things
Networks and managed connectivity This is where MNO can provide a key differential value. Communication network components are inherent to IoT, and they are built over standards (e.g. Long-Term Evolution (LTE)), where ‘security by design’ has been a key principle. Both facts set a strong foundation for enabling MNO as providers of compelling E2E security propositions that extend their core security capabilities. Some of the key security features required for IoT are:
Identification and authentication of the devices involved in the IoT serviceWithin a cellular connected IoT service, endpoints are identified using IMSI and/or IME that is currently used for managing device connectivity. Building on this, device identity management from platform access can also be provided (e.g. using digital certificates), simplifying device management not just at a network connectivity level but also at an IoT service level.
Access control for the different devices that need to be connected to create the IoT serviceCurrent managed connectivity platforms enable IoT service providers to set controls over endpoints, such as device whitelisting (for blocking SIM cards that are inserted into a device whose IMEI is not included on the list) or SMS origin number whitelisting. By adding device identity management for the IoT service ecosystem, the controls can be extended to the service layer.
Data protection to guarantee the security (confidentiality, integrity, availability, authenticity) and privacy of the information carried by the network for the IoT service Network operators traditionally provide public telecommunications infrastructure or a mixture of public and private network infrastructure. Many network operators can ensure that the customer/user data that transits their public network infrastructure is encrypted between the point that the data enters the public network infrastructure and the point that it leaves the network. If required, network operators can also assist IoT service providers to deploy or derive their own encryption credentials to also guarantee data protection.
“ ...network operators can also assist IoT service providers to deploy or derive their own encryption credentials...”
Internet Of Things
Processes and mechanisms to guarantee availability of network resources and protect them against attackFor some applications, such as e-health and critical infrastructures, communications availability can be a critical issue, as we saw in the Learning from the beginning section of this report. This is an increasing concern as the number of “things” connected via the internet continues to grow, and it is crucial to test that these devices do not have any vulnerabilities or insecure configurations that may be subject to undesired attacks. Network operators already have services that can prevent and mitigate these attacks and their consequences by applying filtering mechanisms to filter out attack traffic and deliver only clean traffic.
Communications monitoring and analytics for detecting anomalous activityThe devices in an IoT ecosystem tend to be purpose-specific, which facilitates their profiling. In addition, unlike devices and back-end services in Cloud platforms, network traffic evidences are not easy to tamper with. As a result, techniques applying machine learning for profiling devices and detecting anomalous behavior for signs of security incidents are key security features that network operators can add to their proposals.
Internet Of Things
“ ...applying filtering mechanisms to weed out attack traffic and deliver only clean traffic.”
Telefónica’s IoT security value proposition Three key pillars underpin our IoT security value proposition:• Leveraging the network and platforms built over
network capabilities
• Managing a comprehensive security portfolio to deliver E2E propositions
• Building a strong partnership ecosystem to deliver compelling propositions
“ …comprehensive security portfolio to deliver E2E propositions.”
Internet Of Things
Leveraging the network and platforms MNO have native advantages for providing security to the IoT ecosystem. Typical security requirements such as network availability, data encryption or device authentication have been embedded into Telco’s networks for decades, which makes cellular networks highly reliable. Among these security requirements, there are two that are particularly relevant for IoT security:
• Mutual authentication between the devices and the network. This is based on a trusted hardware (SIM card), which enables a secure and reliable communication channel between devices and the core network.
• Strong over-the-air (OTA) encryption (128 bits key AES-like in LTE) and integrity assurance. This is a key component for delivering device credentials through a secure channel and also providing mutual authentication between devices and Cloud platforms.
Complementing these core capabilities, the following network-based features and services set a differential proposal for MNO:
• Virtual private networks (VPN) – MPLS or IPSEC, depending on the project specifics – in order to secure and isolate the communication from devices to the customer data platform.
• A private Access Point Name (APN) per customer to isolate devices from the internet. This prevents them from being accessible through a public IP, being port-scanned or appearing in databases of devices that can be reached through the internet, such as the Shodan database.
• Capabilities for detecting suspicious network activity. As IoT devices can be easily tampered with, either physically or remotely, network-based detection can provide an additional protection by detecting suspicious activity.
Internet Of Things
Kite PlatformWe have developed the Kite Platform, which runs over the network infrastructure and leverages its core capabilities. Kite is our foundational component of our IoT value proposition. It is a managed connectivity platform that improves customers’ productivity and connectivity cost management, and increases security for their IoT deployments.
The Kite Platform allows a quick and easy integration of IoT services into customer processes and systems through application programming interfaces (API), which contributes to increasing customers’ productivity. In order to further enhance the customer experience, the platform’s functionalities are available through a web portal that can be accessed via most common web browsers. It also offers different schemes of SIM lifecycle status models to accommodate the customer product lifecycle.
When it comes to connectivity cost management, the Kite Platform offers a wide set of tools to automatically control costs associated with SIM traffic, operation, maintenance and inventories.
With regards to security, it offers a set of controls, including:
• Device whitelisting. Customers can upload a list of device IMEIs or IMEI patterns to control the devices that can use the SIM cards.
• SMS MO origin number whitelisting to avoid customer devices receiving SMS commands from non-authorized numbers. It also validates the original SMSC to avoid SMS origin number spoofing.
• Receiving cellular network signalling information, so that the platform can notify customers and take action. It also deactivates SIM cards from unexpected locations or that have excessive data usage.
“ …managed connectivity platform that improves customers’ productivity and connectivity cost management...”
Internet Of Things
Internet Of Things
A COMPREHENSIVE SECURITY PORTFOLIO TO DELIVER E2E SECURITY PROPOSITIONS
ADVANCED SOLUTIONS
Industries
CYBERSECURITY SERVICES
SECURITY PRODUCTS
Managed Security
Operations
Managed Detection &
ResponseDigital
Exposure
Integrated Risk
Management
Device Security
Network & Application
Security
Cloud & Data Security
Identity & Access
Management
CON
SULT
ING
SER
VICE
S
IoT ICSFraud
This portfolio is arranged into four key groups:
Security productsA set of security products (lower green layer) that can be deployed within the infrastructure. Operation of the products is based on repetitive and procedural tasks that can be performed by traditional SOC teams.
Cybersecurity servicesA set of cybersecurity services (middle light blue layer) where the key element is the team, which is composed of highly skilled cybersecurity specialists. Key to service success, the team bases its work in tools and services that are also part of the service blocks of this layer or the previous one.
Consulting servicesConsulting services (right side dark blue box) that can provide support during the pre-sales stage to understand the specific needs of the customer and build the right proposal, combining the P&S of the previous two bullets. These services can also be
extended during the initial stages of the project, as they can be required in any project where any of the previous P&S are involved. Consulting services are key to understanding the specific needs of the customer and tailoring the solution to best fit their needs, especially for the most innovative and disrupting customers in their sectors.
Advanced solutionsThe top layer groups solutions are tailored to specific sectors or industries and share two key properties. Firstly, they need to be flexible and modular in order to adapt to the specific needs of each customer. This is especially relevant in the case of IoT, as customers may have different security and privacy requirements depending on their specific sector. Secondly, they are based on the P&S of the rest of the layers and may also include other specific modules or components.
It is worth noting some of the services that are more relevant in IoT security. Managed Security Operations relieve customers from the challenges involved in deploying and operating their own SOC. Instead, they can rely on our 11 SOCs located around the world. Device management is one of the most common services used by customers. Although most devices are computers and smartphones – which are the traditional devices in IT security – “things” management will benefit from this background.
Internet Of Things
IN the Digital Exposure group, two services deserve being highlighted:
Vulnerabilities management with Vamps:The Vamps service provides a global view of organizations’ weaknesses, anticipating potential attack methods against their systems and allowing quick management of their correction. As part of this solution, the Faast service allows persistent penetration testing of critical infrastructure assets. This periodically updates new vulnerabilities or warns of any previously detected ones that remain unsolved.
Incident anticipation with CyberThreats:The CyberThreats service helps by continuously preventing, detecting and responding to potential cyber threats that can have a major impact on an organizations’ business model. CyberThreats covers all phases of the cyber threat lifecycle, thanks to a holistic risk management model, focused on cyber intelligence.
Internet Of Things
“ ...CyberThreats service helps by continuously preventing, detecting and responding to potential cyberthreats...”
Finally, in the Integrated Risk Management group we have SandaS GRC; a platform for supporting consulting services for governance, compliance and risk assessment. SandaS GRC helps organizations support their business strategy, improve their operational performance, reduce operational risks, and ensure regulatory compliance. The latest version of SandaS GRC includes the GSMA IoT Security Assessment checklist, a useful tool for cybersecurity consultants wishing to assess an IoT infrastructure security, based on the model and requirements published by the GSMA. We have actively been involved in the participation of this document set and has also successfully applied it to a project (see the Securing the Port of the Future case study).
Internet Of Things
“ ...a platform for supporting consulting service on governance, compliance and risk assessment.”
“ ...smart environment with millions of cellular connections...”
Nobody can do it alone; a robust partnership network is ESSENTIALThe IoT is a fast moving, rapidly evolving ecosystem that opens up a wide range of new opportunities. In just a few years, it has evolved from a machine-to-machine (M2M) paradigm focused on B2B and vertical use cases, to a smart environment with millions of cellular connections, an emerging B2C application and an increasing range of standard definitions. The future seems to be even more complex, with billions of connections and thousands of applications on B2B, B2C and B2B2C. This environment of constant change, together with the extremely long IoT ecosystem value chain (device manufacturers, communication service providers, Cloud platform providers, and application developers, to name a few) makes matching security requirements an impossible task for a single company. Therefore, it is crucial to create an active and dynamic partnership ecosystem that can attract talent, technology and investment to face this challenging environment.
Internet Of Things
An initiative of this nature must consider the following key elements: • Attracting talent and identifying relevant projects
and initiatives at a very early stage. This means establishing good connections with universities and specialist research centres, and promoting events that help to identify these initiatives.
• Setting and funding the resources that project leaders may need in order to facilitate the development of their ideas and initial market testing.
• Investing in start-ups that have implemented a solid value proposition and may require funds to be delivered to the market.
“ Attracting talent and identifying relevant projects and initiatives at a very early stage.”
Internet Of Things
ConclusionIn this report, we have described the key capabilities and assets that MNO need to consider for IoT security. They set a foundation from which to start building compelling E2E value propositions, and adding advanced security services and products. Some of these could be developed in-house, but a significant number will require partnering with leading companies in each specific area of security. In both cases, the systemic vision of Telefónica for IoT adds another point of view at a larger scale to the ones of specialists in specific types of devices and solutions.
The significant business growth of – and relevant investment in – cybersecurity over the past few years has allowed us to devise a comprehensive portfolio and build an extensive partnership network; creating the perfect platform from which to help its clients take maximum advantage of the IoT revolution.
iot.telefonica.com
@TelefónicaIoT
Telefónica IoT
telefonica IoT
Internet Of Things
Internet Of Things
Summary
FOUNDATIONAL Refreshed: 5 June 2018 | Published: 17 February 2017 ID: G00319712
Analyst(s): DD Mishra, Earl Perkins, Stephanie Stoudt-Hansen
Cybersecurity concerns are major barriers to the success of the Internet of Things. Sourcing and vendor management leaders must ensure that cybersecurity policies address the risks of IoT and, by working closely with procurement teams, create an approved list of IoT providers.
FOUNDATIONAL DOCUMENTThis research is reviewed periodically for accuracy. Last reviewed on 5 June 2018.
Address Cybersecurity Challenges
Proactively toEnsure Success With Outsourced
IoT Initiatives
IMPACTS• Existing cybersecurity policies and procedures
will undergo changes to support the adoption of the Internet of Things (IoT), introducing new cybersecurity challenges for sourcing and vendor management leaders.
• Increased competition will drive enterprises toward rapid adoption of the IoT with shorter procurement and sourcing cycles, leaving less time for sourcing and vendor management leaders to address cybersecurity.
• Fragmented demand and a proliferation of suppliers, coupled with faster supply chain expectations and a myriad of IoT products, will increase sourcing complexity related to cybersecurity for sourcing and vendor management leaders in stitching the demand and supply together.
Internet Of Things
“ Increased competition will drive enterprises toward rapid adoption of the IoT…”
RecommendationsTo address the cybersecurity risks of IoT, sourcing and vendor management leaders should:
• Collaborate with business and IT stakeholders to identify and formalize all cybersecurity concerns and risks.
• Ensure internal policies, processes and quality assurance mechanisms are aligned with their service provider’s obligations at the time of negotiations.
• Create an approved list of IoT products and service providers, including their capabilities and track records on cybersecurity as the key parameters for shortlisting.
• Incorporate a data protection and open-source agreement into the contracts, which ensures any data generated is either secured or purged after use or at the termination of the contract.
Internet Of Things
Internet Of Things
Strategic Planning AssumptionBy 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.
AnalysisAs the personal world of connected consumer devices — such as wearables and health monitoring —collides with the IoT, consumer and organizational IT will become indistinguishable, and digital capabilities throughout the enterprise will simply merge. This has generated significant interest from an IoT strategy perspective among businesses. The inquiry volume has stabilized to 10% of the yearly volume of IoT inquiries every month consistently between May 2016 and December 2016. During the second half of the year, the inquiry volume was more than double with respect to the first half showing increased maturity
and interest.1 Supporting this evidence is the increased interest in cybersecurity (see Note 1) and privacy concerns, which remain the biggest barriers to IoT success (as shown in Figure 1). In a Gartner survey on the IoT conducted during the fourth quarter of 2016, security concerns, potential risks and liabilities, privacy issues, and regulatory issues were among the top 10 barriers, with security concerns as the main barrier to the success of IoT.2 This research will focus on addressing the required sourcing and vendor management leader actions to address the main barrier depicted in Figure 1: cybersecurity.
“ …digital capabilities throughout the enterprise will simply merge.”
The evidence available (from public domain sources) warns that one of the biggest distributed denial-of-service attacks ever seen took place in Europe, where a botnet comprising thousands of hacked IoT devices took aim at a European web host, which flooded it with a data deluge that exceeded one terabit per second.3 Similarly, it has been revealed that smart TVs are also vulnerable to hacking, using simple devices.4 The IoT brings unprecedented security risks and challenges to enterprises as it makes further inroads into businesses.
Figure 1. Barriers to IoT Success
Notes: Question we asked: What are the three greatest barriers to the success of your organization’s IoT activities? Number of respondents = 2,539.Multiple responses were allowed.
Source: Gartner (February 2017)
Internet Of Things
Security concerns 35
32
29
25
25
23
23
21
20
20
19
15
13
0
0 10 20 30 40
Ranked Second Ranked ThirdRanked First
Cost/funding concerns
Implementation/integration complexity
Privacy concerns (e.g. of customer or enterprise data)
Potential risks or liabilities
Difficulty in predicting business benefits
Regulatory issues/concerns
Technology is immature
Resistance to change within the organizationInsufficient time or resources to develop ideas to benefit from IoT
Lack of necessary staff skills
Fragmented executive leadership
No real leadership for IoT within the oganization
Other barriers
12 12 10
12 10 10
10 10 9
8 9 9
8 7 9
7 8 8
7 7 8
7
7
7 7
7 7
7 6 7
5
5
7 7
55
454
Currently, as revealed in Gartner’s “Hype Cycle for Enterprise Architecture, 2016,” IoT architecture has entered the Peak of Inflated Expectations. It will reach the Plateau of Productivity within five to 10 years, while in the meantime, continuing to grow at a steady pace. Gartner estimates there will be approximately 20 billion connected IoT devices by 2020; others project much higher numbers.5
Businesses will see rapid adoption, and suppliers will produce devices at a rapid pace. During this fast adoption phase, clients should practice restraint when acquiring IoT products and IoT-based solutions and services, or when selecting service providers for IoT products, solutions or services. Businesses need to ensure that IoT solutions are secure before committing to acquire them.
In addition, since revenue maximization is one of the top objectives of businesses, risk management needs to be addressed in a sensible manner so that it does not become an inhibitor. Businesses must learn how to mitigate risks faster on their journey for rapid adoption, enabling the business to quickly implement IoT processes with an ecosystem of partners. This is the main objective for sourcing and vendor management leaders strategizing for IoT implementation.
Gartner sees the following key impacts for sourcing and vendor management leaders when correlating the IoT and cybersecurity, as depicted in Figure 2.
Internet Of Things
Figure 2. Impacts and Top Recommendations for Sourcing and Vendor Management Leaders
FTC = Federal Trade Commission
Source: Gartner (February 2017)
“...suppliers will produce devices at a rapid pace.”
Impacts Top Recommendations
Exisiting cybersecurity policies and procedures will undergo changes to support the adoption of the IoT, introducing new cybersecurity challenges for sourcing executives.
Review architecture and design cybersecurity. Evaluate internal policies, processes and quality assurance mechanisms. Consider available frameworks and guidelines (such as FTC rules) before investigating the IoT provider market.
Create an approved list of IoT products and providers, including their capabilitiesand track records on risk, cybersecurity, privacy and compliance, as a key parameter for shortlisting.
Incorporate a data protection agreement to ensure any data generated is either secured or purged after use or termination of contract.
Increased competition will drive enterprises toward rapid adoption of IoT with shorter procurement and sourcing cycles, leaving less time for sourcing and vendor management leaders to address cybersecurity.
Fragmented demand and a proliferation of suppliers, coupled with faster supply chain expectations and myriad of IoT products, will increase sourcing complexity related to cybersecurity for sourcing and vendor management leaders in stitching the demand and supply together.
Impacts and Recommendations Existing cybersecurity policies and procedures will undergo changes to support the adoption of the IoT, introducing new cybersecurity challenges for sourcing and vendor management leaders
The proliferation of IoT solutions and services, in combination with the rapid adoption of IoT by consumers and businesses, puts pressure on the sourcing and procurement teams to accept solutions and services with limited built-in or architected cybersecurity and safety features. In the same sense, service providers are using the competitive pressure to directly sell to business buyers, circumventing sourcing and procurement altogether, introducing numerous potential vulnerabilities.
This will place businesses in jeopardy when such IoT products or services are deployed in a mission-critical role. Hence, sourcing and vendor management leaders must invest in creating and maintaining a flexible, yet unambiguous, IoT risk mitigation strategy that can be applied rapidly during the initial selection and contracting period, with a main focus on cybersecurity.
RecommendationsSourcing executives should:
• Collaborate with business and IT stakeholders to establish an IoT center of excellence (COE) and formalize IoT adoption principles covering — at minimum — cybersecurity, privacy and compliance. An effective COE can then establish a framework for adoption, enabling processes and structures, to provide help in creating a productive digital business and IoT strategy. The COE should also provide for terms and conditions that can be incorporated in agreements during the implementation of IoT products and services.
• Engage with cybersecurity and compliance teams to ensure that new policies and procedures manage risks associated with IoT. Review current guidance, such as the FTC rules, to ensure risks are measured, and mitigation activities are defined and formalized.7
• Always consider external IoT specialists to develop an enterprise risk management framework for the evolving IoT ecosystem. Even if there is an internal COE, it’s better to be safe than sorry.
Internet Of Things
Increased competition will drive enterprises toward rapid adoption of the IoT with shorter procurement and sourcing cycles, leaving less time for sourcing and vendor management leaders to address cybersecurity
The fine balance between agility and cybersecurity, risk and compliance needs to be defined. Sourcing and vendor management leaders working closely with cybersecurity, procurement, finance, IT and business teams can devise ways that can enable such rapid implementation — especially since blocking the pace of adoption with constraints may be detrimental for the business. The principle of imposing control through command, constraint and compliance must transform to become engaging, thus enabling and empowering the business with suitable processes, frameworks and tools.
Unfortunately, it cannot be ruled out that, in some cases, other departments within the business will circumvent the IT department completely by directly procuring the necessary IoT components. This is a significant concern, corroborated by the current and similar situation occurring with cloud adoption, which we have observed over some time. This can bring additional cybersecurity challenges.
RecommendationsSourcing and vendor management leaders should:
• Collaborate with procurement and business teams to explore IoT devices, services, products and providers to create a preapproved list generated from lessons learned with existing deployments involving cybersecurity and compliance. This will make cycle times shorter and enable rapid adoption.
• Conduct workshops with business leaders to understand the IoT roadmap, and trigger business awareness about safety and cybersecurity requirements as necessary. Create documentation or a playbook to raise awareness on guidelines for purchasing and contractual protections.
Internet Of Things
Internet Of Things
• Collaborate with legal, compliance, cybersecurity, consultants and business stakeholders to produce a threat model for IoT. Where necessary, conduct a “readiness review” using an external consultant to ensure that the organization is prepared from both a business and technology perspective.
• Enable rapid prototyping and proof of concept (POC) mechanisms for adoption and incorporation of new IoT products and services by developing IoT-specific sandbox environments and processes. Secure risk management and stakeholder involvement, creating environments that include cybersecurity aspects and support rapid prototyping as well. Produce checklists of risk, compliance and cybersecurity to ensure that they are suitably addressed during rapid IoT POCs. This will shorten the adoption cycle time of the IoT.
• Demonstrate the benefits of a strong demand management framework to the business, while not restricting business development. Focus the framework on matching business demand with analyzed IoT products and technology services, and service providers. Ensure the matching allows for rapid POCs. That way, sourcing will be involved when decisions are made at the business level to acquire new IoT-related capabilities so they can help to vet providers and leverage pooled spend.
Fragmented demand and a proliferation of suppliers, coupled with faster supply chain expectations and a myriad of IoT products, will increase sourcing complexity related to cybersecurity for sourcing and vendor management leaders in stitching demand and supply together
A report published during June 2014 by HP demonstrates that six out of 10 devices with user interfaces are vulnerable to a range of cybersecurity issues. Furthermore, 70% use unencrypted data.8 Something as basic as corrupted data in a power distribution system can result in substantial risk. A 2012 Computerworld report explained how a heart pacemaker could be hacked to provide a deadly 830-volt jolt.9
The IoT will drive convergence of operational technology with IT, which will make things riskier. A large number of devices do not follow the standards and norms traditional IT equipment is built with — partially because of the market pressure to create new products fast, and partially because of the lack of international standards for an increasing number of devices and solutions built on proprietary platforms. This introduces new challenges and vulnerabilities from a cybersecurity and compliance perspective (see Figure 3).
Figure 3. Governance Challenges for IoT Implementation
Source: Gartner (February 2017)
Internet Of Things
Data Security
31%Data
Quality18%
Retention & Disposal
10%
Data Standards
21%
Privacy of Sensitive Data
20%
Other0%
The IoT ecosystem is complex and massive. Currently, standardization does not exist, and maturity is evolving. At present, there is insufficient regulation protecting consumer interests. There is hope that technology alliances and go-to-market partnerships will develop sector experience and acumen. The ecosystem of IoT is grouped into different types of providers, such as:
• IT providers and system integrators (such as IBM, HPE, CSC, Accenture, Capgemini, Atos, Oracle, Microsoft and SAP)
• Communication providers (like NTT Data, AT&T, T-Mobile and Verizon Communications)
• Infrastructure gateway providers (like IBM, Hitachi, Juniper Networks, Cisco Systems, HPE and Fujitsu)
• Original equipment manufacturers (such as Johnson & Johnson, GE, General Motors, Ford Motor, Siemens, Bosch, ABB and Philips)
• Semiconductor manufacturers (like ARM Holdings, Intel, Qualcomm and STMicroelectronics)
RecommendationsSourcing and vendor management leaders should:
• Engage intensely with providers to understand the portfolio of IoT offerings, market share, verticals supported, growth of IoT business and
regions served. Thereafter, revisit the sourcing strategy and seek a deeper alignment through adaptive sourcing. Organizations that develop maturity in sourcing will be more capable of managing risks and compliance from the IoT.
• Collaborate with the legal, IT and compliance teams to establish an integrated contractual framework for your business initiatives, to ensure that that the provider will comply with your organization’s ecosystem. Ensure IoT and cloud-related risks are addressed by the business framework.Focus on organizational training and awareness before engaging with providers. Include training and awareness as a part of provider obligations.
• Focus on organizational training and awareness before engaging with providers. Include training and awareness as a part of provider obligations.
• Engage consultants and experts to deal with cybersecurity and the integrity of data. IoT initiatives often bring vast data management challenges, since such a huge amount of data is generated. Therefore, the organization will have to analyze what data is useful and how it should be organized to ensure optimal utilization of resources, such as storage, computing and network, as well as discarding unnecessary information and using encryption where needed.
Internet Of Things
Gartner Recommended ReadingSome documents may not be available as part of your current Gartner subscription.
“Prepare for the Internet of Things to Drive Big Change in Sourcing”
“Mitigate Digital Security Risks and Emerging Threats in IT Outsourcing by Solidifying Scope and Support of Stakeholders”
“The Four Steps to Manage Risk and Security in Bimodal IT”
“Toolkit: Risk Scoring Tool for Sourcing Digital Services”
Internet Of Things
Internet Of Things
Evidence1 Inquiry trend for IoT-related inquiries reveals that between the first half of 2016 and the second half of 2016, the number of inquiries increased almost by 140%. The inquiry volume sharply started rising during the first half of 2016 and became consistent in the second half.2 In “Survey Analysis: 2016 Internet of Things Backbone Survey,” Figure 6, “Barriers to IoT Success,” security concerns were ranked at the top (No. 1), privacy concerns was at No. 4, potential risks and liabilities were at No. 5, and regulatory issues/concerns were at No. 7 (n = 2,539) in terms of barriers to IoT. The question asked was: “What are the three greatest barriers to the success of your organization’s IoT activities?”3 M. Miliard, “Massive DDoS Attack Harnesses 145,000 Hacked IoT Devices,” Healthcare IT News, 29 September 2016.4 J. O’Callaghan, “Could Your Smart TV be Hacked? ‘Red Button’ Feature Could be Used to Hijack Web Accounts,” Daily Mail, 9 June 2014.5 T. Danova, “Morgan Stanley: 75 Billion Devices Will Be Connected to the Internet of Things by 2020,” Business Insider India, 3 October 2013.6 In “Survey Analysis: The Internet of Things Is a Revolution Waiting to Happen,” Figure 4. IoT Leadership (n = 456) shows that 77% of organizations do not have IoT leadership.7 “FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks,” FTC, 27 January 2015.8 HP’s security research, related to IoT, revealed some interesting insights into the IoT security. For further information, see “Internet of Things Research Study,” HP, September 2014.9 J. Kirk, “Pacemaker Hack Can Deliver Deadly 830-Volt Jolt,” Computerworld, 17 October 2012.
Note 1 CybersecurityCybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.
Gartner Headquarters Corporate Headquarters56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096
Regional HeadquartersAUSTRALIA BRAZIL JAPAN UNITED KINGDOM
For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp.
Securely Unleashing the endless possibilities of IOT is published by Telefonica. Editorial content supplied by Telefonica is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2018 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Telefonica’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.
Internet Of Things
Internet Of Things
