The Internet of Things – Understanding IoT from a Security Perspective

Watch the 3-minute video here or on YouTube, or read the transcript below.

Transcript

I think sometimes we like trends and we like buzzwords. We like to really look at things as some type of new hype or something that’s new. The Internet of Things is nothing new. It’s something that’s been around ever since computers got connected together. 

Computers are the Internet of Things. Networked devices, phones, servers – anything you connect to the network is the Internet of Things. So we like new buzzwords and new terms, but the Internet of Things really is just another connected device. It’s no different from a network as it was many years ago.

What has changed are the types of functions of the devices that get connected; what tasks they carry out. Where, in the past, it was computers which had the ability to be programmed or changed to carry different functions – whether it be a web application or whether it be some type of financial application – today devices and hardware are now carrying out more specific functions, more targeted, more simple tasks. And that’s really what we’re seeing: more microsystems and microprocessors being put in place. So we get into this hype of, you know, “it’s something new,” but it’s not new. It just means that the function it carries out is.

Now, from a security perspective, we also tend to look at it in the wrong way. We look at these new devices as something that’s very vulnerable and very high risk. But in fact most IoT devices out there have very low risk. What we need to understand is: I don’t look at an IoT device as an IoT device. I look at what its function is. Is it a data processor? Is it a data collector? Is it a data correlator? I look at what its actual role in the network is.

And that’s how I look at it basically from a risk perspective. Is it something that could potentially attack the network? Is it something that could have data poisoning, that the data that it is actually generating can be manipulated? Is it providing an access point for an attacker to gain access to the network?

So we really need to change how we actually define those devices and look at it from much more of a risk perspective – into what is the type of device and data it’s gathering or participating in or processing? And what can that data be used against? So this is where I look at it: it’s not from an IoT perspective, but from a function and a risk perspective. And that’s what we need to do today. We need to do better risk assessments in IoT or network-connected devices, versus just looking at them as connected devices. 

Joseph Carson, Chief Security Scientist & Advisory CISO at Thycotic, has more than 25 years of experience in enterprise security. He is a CISSP and an active member of the cybercommunity, speaking at conferences globally. He’s a cybersecurity advisor to several governments, as well as critical infrastructure, financial, and maritime industries.