Concern about our reliance on the Internet of Things and Industrial Internet of Things (IoT and IIoT) continues to grow, as does concern about the lack of attention being paid to securing mission-critical devices and networks.
A couple of surveys released during the past few days point to deeply related topics that, ultimately, shine a light on how serious the issues are and raise doubts about whether they are being addressed.
A survey by Coromatic done in conjunction with research company Mistat contained responses from more than 330 mission-critical facilities managers in 24 countries. The results are a bit sobering: 49 percent had not performed a business impact analysis to “verify the criticality of their site operations and vulnerability of these in relation to operational disruptions.” Forty-five percent ran their businesses without service level agreements, according to Continuity Central.
There was no lack of acknowledgement that the systems in questions are vital to the proper functioning of their organizations, or their functioning at all:
However, the respondents’ awareness of the business risks with disruptions to site operations is high. More than 70 percent of the responding site managers stated that interruptions to a mission critical facility would have severe or extremely severe effects on their company's overall business. 25 percent indicated that the entire company would be jeopardized in case of a disruption to a mission critical facility.
The kicker is that one of the keys to what some would call a dereliction of duty may be laziness: 37 percent said that they didn’t make investments because the “business case requirements were seen as too complex.”
The report did not mention the IoT. Clearly, however, the IoT will be deep within organizations’ infrastructure and will be key to their security (or insecurity). In other words, the survey, to some extent, was about the IoT.
IndustryWeek and Genpact Research (in collaboration with GE Digital and the Industrial Internet Consortium) released a survey this week that found that while 81 percent of companies believe the IIoT is critical, only one-quarter have a clear strategy for how to implement it. The survey found many concerns. Two of the most common are data security (37 percent of respondents) and privacy (33 percent).
Taken together, the two surveys paint a scary picture: People are worried about security and the privacy of the IoT and IIoT. They have not, however, done the basic block and tackling of ensuring that their infrastructures, which contain IoT/IIoT and other elements, are secure. In some cases, this lack of attention appears to simply be due to lackadaisical attitudes.
We can get a basic understanding of how IoT and IIoT security can be structured from this piece by Red Hat’s Russell Doty at Military Embedded Systems. He explains that IoT endpoints, sensors and actuators send their data to controllers (with which they can be collocated). The key to security is the controller. It must be able to communicate with the endpoint, authenticate the identity of that device, and make sure it has not been compromised.
None of this is easy. It seems doable, however, if security and IT staffs are willing to engage and do the hard work necessary.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.