IoT dangers demand a dedicated group

Credit to Author: Evan Schuman| Date: Fri, 04 Oct 2019 13:31:00 -0700

The internet of things (IoT) brings with it a wide range of IT security headaches, along with compliance nightmares — and turf wars.

Internal problem No. 1: Departments that typically have little to no interactions with IT are now directly ordering corporate IoT devices. Maybe you’ve got Facilities purchasing IoT door locks or Maintenance buying a ton of IoT light bulbs. Given that those departments have been purchasing door locks and light bulbs for as long as anyone can remember and have never needed IT or security’s signoff, this can be a problem.

Internal problem No. 2: In many ways, IoT devices (think of devices for tracking pallets on ships or for monitoring where every fleet car is and how fast it’s been driven) are very different from anything else that IT or security has dealt with. The units are capturing data that has never been tracked before — Hello, Compliance. Go away, GDPR regulator — and in different ways, such as bypassing enterprise LANs and cloud networks and using internal antennas to directly communicate.

Blogger Stacey Higginbotham, who runs the Stacey on IoT blog, wrote last week that companies need to rethink how IoT should be managed internally, with the need for a new role explicitly to just handle IoT issues. Higginbotham suggested chief of automation or IT/OT architect (“OT” being operational technology).

Although I would applaud the idea that there absolutely needs to be some consolidation of IoT thinking and authority, I think this would be better handled with a specialist or a specialty team within IT. Consider the cloud. Even though it brings a wide range of technology, security and compliance problems, companies didn’t generally create “chief cloud officer” titles. When the technology is that important and embedded in so many departments, isolating it from the normal IT channels just makes the problem worse.

The most interesting part of Higginbotham’s column is a wonderful passage about the experiences of a BASF asset manager named Amy Odom. Odom spoke on a panel about BASF’s IoT-powered equipment systems that used wireless vibration sensors to predict when systems were about to fail and the best guess as to that failure’s cause. BASF is a $63 billion global chemical producer.

“The system is comprised of 104 sensors and 58 gateways around the plant. The sensors use Emerson’s Wireless HART protocol, sending it to a gateway that in turn sends data over the plant’s Wi-Fi network. But 11 months ago, the BASF corporate IT team decided to replace the Wi-Fi gear in that plant because the access point vendor was bankrupt. They took down the network and made plans to replace it,” Higginbotham wrote. “But they didn’t replace it. Odom said the plant has now been without Wi-Fi, and thus this particular system, ever since the IT team took it down 11 months ago. Recently, the plant experienced an equipment failure that cost ‘something in the six figures,’ which would have been detected by the vibration sensors had they been operational. Odom said that her notes to the IT department had not had any effect, but she hoped that the equipment failure — a clear example of how the lack of Wi-Fi was costing BASF money — might inspire a bit of urgency. That is a particularly egregious example of a corporate IT department not communicating with an operational tech team. But while I was stunned by the idea that a section of a plant might be without Wi-Fi for 11 months, most of the other attendees didn’t seem surprised. As to how anything got done at all, there were other Wi-Fi networks in the plant — just not ones this particular system could use.”

It’s absolutely true that these kinds of corporate disconnects — where one department doesn’t take seriously another department’s requests — happen all the time and is certainly not something that IoT created. But the complex nature of IoT (it’s in so many departments, touching just about every aspect of product life cycle, supply chain and every executive area), coupled with its independent communication capabilities, means that it presents especially challenging threats to the business, along with some wonderful advantages. It needs specialists who are authorized to focus all of their time on IoT issues.

That team can certainly jointly report to the IT and security teams, but a dedicated IoT group for most enterprises is now essential.

http://www.computerworld.com/category/security/index.rss