The Invisible Weakest Link: IoT Supply Chain Provenance and Critical Infrastructure Risk

Leave a reply

When a water utility installs a sensor array to monitor pressure and flow across its distribution network, the procurement conversation typically centers on reliability, compatibility, and cost. Security may appear on the checklist — does the device support encrypted communications? does the vendor offer a support contract? — but the conversation almost never reaches the question that matters most: what is actually inside this device, where did those components come from, and who else has access to them?

That question is the supply chain provenance problem, and it is the most structurally underaddressed vulnerability in critical infrastructure cybersecurity today. It is invisible not because it is subtle, but because the incentive structures governing procurement, deployment, and operations have never required anyone to look. Further, because of market competition and need for speed to market pressures, providers can be demotivated to self-inspect/self-regulate to a sufficiently comprehensive depth.

The Multi-Vendor Stack Few Organizations Audit

A single IoT device — a sensor, a controller, a remote terminal unit — is not a monolithic object. It is a layered and interconnected system. The hardware substrate may come from one manufacturer. The operating system or firmware from another. The wireless protocol stack — Zigbee , LoRaWAN , cellular, etc — from a third. The business logic that governs what the device actually does with data may be licensed from a fourth vendor or written by a systems integrator who no longer supports the deployment. Cloud management functions may route through infrastructure the end operator neither owns nor controls or even has visibility into.

Each of those layers is a potential insertion point for malicious code, unauthorized access capability, or exploitable vulnerability. More importantly, each of those layers typically comes with its own update cadence, its own end-of-support timeline, and its own security disclosure practices — none of which are coordinated, and none of which the end operator is necessarily tracking.

Most operators interact with IoT devices at the interface level. They see readings, alarms, and dashboards. They do not see firmware version histories, component manifests, or the provenance of the cryptographic libraries handling their communications. This is true for many software libraries. When the device works — that green LED turns on or a parameter is successfully read — nobody looks inside. When it fails, the investigation focuses on restoring function, not on what the failure revealed about the underlying stack.

This is not negligence in the ordinary sense. It reflects a procurement model built for a pre-connected world — in a market of intense competition — applied to infrastructure that is now deeply networked and actively targeted.

Why Provenance Is So Hard to Establish

The concept of a Software Bill of Materials — a structured inventory of software components in a given product, analogous to an ingredient list — has gained regulatory traction following the Biden administration’s 2021 executive order on cybersecurity and subsequent CISA guidance. While SBOMs are a meaningful step, they are also far from universally implemented, inconsistently formatted, and largely absent from the OT and embedded device space where the risk is highest. While participation is still mandated for federal acquisitions, CISA’s general guidance remains voluntary. (The 2021 order was partially rolled back by the subsequent administration. CISA reached out for public comment on updated guidance in 2025, but that has not yet been made a regulatory requirement.)

The number of possible IoT component providers can grow quickly. Let’s say we use 10 components from the IoT Component Provenance Stack. For the sake of illustration, let’s say each component of a single IoT device is contributed to by three different providers. This could be in the form of small applications, library dependencies, frameworks, etc. At that point — only one layer down — that means that there could be 10 x 3 = 300 different potential providers of software, software components, possibly hardware, etc. Then go a layer down from there and say that each of those supporting components can also have three different supporting providers. So that means that the device could have 10 * 3 * 3 = 900 different potential providers. Then go one more layer down and say that that last provider also has three different potential providers of software components. So now we’re at 10 * 3 * 3 * 3 = 2,700 different potential providers.

Even in the first case of one layer down — 300 — that’s a lot of components to track and get attestations for. In doing this math, you can of course vary the number of inputs per layer and the number of layers. But even if you used something small like two layers down and two potential sub-providers per layer, you still get 10 * 2 * 2 = 40. That’s still a lot of software, components, libraries, and other items over which to garner provenance. And it is more likely, not less, to have multiple layers and multiple components. Software libraries alone are rich with dependencies on other libraries — often of unknown provenance — and this quickly compounds the “layers.”

The challenge is that getting attestation (or testing) for any one of those components is non-trivial. It takes labor, time, skillsets, and other resources to do this investigation and research. That is time not spent researching, developing, marketing, or selling the device. So a high level of provenance chasing can quickly become seemingly unfeasible in a competitive market with pressure for speed of deployment.

The operational technology sector compounds the problem. OT procurement has historically been governed by engineering departments optimizing for uptime, interoperability, and cost — not by security teams with supply chain visibility requirements. Devices installed five or ten years ago were evaluated against a threat model that did not include nation-state adversaries systematically pre-positioning in US infrastructure. Those devices are still running. And because there are a lot of them and it’s very resource intensive to get to them — think on towers, in machine rooms, in boiler rooms, underground — it is not easy or cheap to swap them out, and that fact demotivates system owners to do so.

Further, their component provenance was never documented at the time of purchase and cannot be reconstructed now without physical disassembly and firmware analysis that most organizations lack the expertise or resources to perform.

I made this argument before the U.S.-China Economic and Security Review Commission in 2018, and the core dynamic has not changed: the gap between what critical infrastructure operators know about what is inside their systems and what a sophisticated adversary can know about those same systems is wide, persistent, and growing. What has changed is that the adversary’s capability and intent are no longer speculative. And this is of course greatly exacerbated by the explosion of AI.

Artificial Intelligence, Mythos, and the Accelerating Provenance Problem

The supply chain provenance problem described above has existed for years. What has changed, abruptly and materially, is the speed at which adversaries can exploit it. The April 2026 announcement of Anthropic’s Claude Mythos model — and the concurrent launch of Project Glasswing, a restricted-access initiative involving twelve named launch partners plus more than forty major additional organizations — made explicit what security researchers had been warning about in more theoretical terms: AI systems have crossed a capability threshold that fundamentally changes the offensive threat calculus for critical infrastructure.

Mythos does not merely discover vulnerabilities; it autonomously builds exploits for them and chains those exploits together, executing what security researchers call full system takeovers with a substantial success rate on first attempt. For critical infrastructure operators already struggling to account for what is running inside their IoT and OT systems, this development carries a specific and uncomfortable implication: the opacity that made supply chain provenance a manageable background risk now makes it an acute foreground one. An adversary equipped with Mythos-class capability does not need to know in advance which components in your sensor array are vulnerable. It can find out faster than your security team can respond.

As AI scientist Dan Hendrycks has noted, models like Mythos make it dramatically easier for non-state actors — not just sophisticated nation-states — to target critical infrastructure. That observation matters for supply chain risk in a specific way: the barriers to exploiting obscure firmware vulnerabilities in legacy OT devices, which previously required deep specialist knowledge and significant time investment, are collapsing. The risk is particularly acute for operational technology environments in energy, utilities, manufacturing, water, and transportation — sectors where many systems are decades old and cannot be effectively patched. These are precisely the systems whose component provenance is most difficult to establish and whose security posture is most dependent on the assumption that finding and chaining their vulnerabilities requires effort that most attackers will not invest. That assumption no longer holds.

The defensive dimension of Mythos is real and should not be dismissed. Anthropic claims the model identified thousands of zero-day vulnerabilities across critical software in the weeks preceding its announcement, many of them decades old — vulnerabilities that had persisted undetected through every prior generation of security tooling. Project Glasswing represents a serious attempt to apply that capability defensively before adversaries develop equivalent offensive tools. The problem, as one analyst framed it, is that Project Glasswing will initially touch only a tiny percentage of the world’s vulnerable infrastructure — and the IoT and OT devices embedded in critical infrastructure will likely not be prioritized by a coalition of major technology firms scanning their own software stacks.

The net effect for supply chain provenance is this: AI-enabled vulnerability discovery has inverted the time asymmetry that operators have historically relied upon. The implicit assumption behind deferred patching, incomplete asset inventories, and unaudited component stacks was that turning latent vulnerability into active exploitation required time and expertise that constrained the threat. Discovery is now accelerating exponentially while remediation still moves at human speed. That asymmetry is the defining cybersecurity challenge of the next decade — and it hits hardest precisely where provenance is weakest.

(Note: much of the performance data comes from Anthropic itself and independent verification and validation is ongoing.)

The PRC Dimension

Chinese-origin components are not rare in the global IoT supply chain. They are dominant. This is not a function of covert insertion — it is a function of market share. Chinese manufacturers produce a substantial proportion of the world’s chipsets, sensors, wireless modules, and embedded controllers. Devices sold under Western brand names routinely contain Chinese-origin components at the hardware and firmware level. This is legal, documented in import records, and almost never surfaced in end-operator security assessments.

The concern is not that every Chinese-origin component contains a backdoor. The concern is structural: under China’s Military-Civil Fusion policy, Chinese technology firms operate under legal obligations to the state that have no equivalent in Western jurisdictions. Firms can be compelled to cooperate with intelligence and security services, to preserve access capabilities, or to provide technical assistance on demand. The legal framework that governs these obligations is real, enforced, and incompatible with the assumption of vendor neutrality that Western procurement has historically made.

The risk this creates is not a specific backdoor in a specific device. It is a pervasive opacity — a condition in which the components most likely to be present in critical infrastructure are also the components whose security properties are most difficult to independently verify, and whose vendors operate under the most permissive legal framework for state-compelled cooperation. That opacity is a strategic asset for an adversary conducting long-horizon infrastructure pre-positioning. It does not require active exploitation to be valuable. It simply needs to persist.

That opacity also facilitates PRC operations such as Volt Typhoon where US, and other countries’, critical infrastructure is quietly compromised for future use, most likely in conjunction with other cyberattack or even aspects of kinetic attack.

What Mitigation Actually Requires

The honest answer is that fully resolving the supply chain provenance problem is not currently possible at scale. The global IoT component supply chain is too fragmented, too opaque, and too deeply embedded in deployed infrastructure to be audited retrospectively in any comprehensive way. What is possible is a structured reduction in exposure — which requires accepting that reduction has real costs and organizational friction.

SBOM adoption as a procurement condition is the necessary starting point. Any new IoT or OT device entering critical infrastructure should come with a machine-readable component manifest. This will not happen voluntarily at scale; it requires regulatory mandate and procurement policy with teeth. The current voluntary framework is insufficient given the threat environment. CISA’s SBOM resources provide a starting point for organizations ready to move ahead of the regulatory curve.

Network segmentation that does not assume device integrity is the operational complement. If you cannot fully verify what is inside a device, you can constrain what that device can reach. Flat network architectures — in which IoT sensors have unfettered connectivity to enterprise systems, or in which OT networks are accessible from IT environments without effective control — are an invitation to lateral movement regardless of what is or is not in the device firmware. Segmentation is not particularly sexy. It is also not optional.

Continuous monitoring fills the gap that perimeter security and procurement controls cannot close. Behavioral anomaly detection in OT network traffic — baselining what normal communication patterns look like and alerting on deviations — is the primary mechanism for detecting exploitation of supply chain vulnerabilities after the fact. This requires OT-specific tooling and, more critically, the human expertise to interpret what the monitoring surfaces. That expertise is in short supply, which is its own compounding problem.

Zero-trust architecture], applied at the device and communication level rather than just the network perimeter, represents the direction of travel for mature deployments. Devices should authenticate before they communicate. Communications should be encrypted even on internal networks. Access should be scoped to what the device operationally requires, not what is convenient to configure and maintain. None of this is technically exotic. All of it is organizationally difficult in environments where operational continuity has historically taken precedence and where security has been perceived as friction.

The Policy Gap

Technology controls alone will not close the provenance gap because the provenance gap is not primarily a technology problem. It is a governance problem. Procurement standards that do not require component transparency create markets that do not supply it. Regulatory frameworks that treat IoT security as an afterthought — or that apply only to specific sectors while leaving others unaddressed — leave predictable gaps that adversaries can map and exploit.

The federal government has moved in the right direction with executive orders, CISA advisories, and the emerging SBOM regulatory landscape. The National Cybersecurity Strategy and NSM-22 both signal a policy direction that takes supply chain risk seriously. The pace of that movement does not match the pace at which sophisticated actors are mapping and pre-positioning in US infrastructure. Volt Typhoon’s confirmed multi-year presence in American critical infrastructure was not achieved through exotic zero-day exploitation. It was achieved through patience, legitimate credentials, and the structural opacity of systems whose operators could not fully account for what was running inside them.

Conclusion

The weakest link in critical infrastructure cybersecurity is not the device that fails the penetration test. It is the component inside the device that nobody thought to examine, sourced from a vendor nobody thought to audit, running firmware that has not been updated since the Obama administration or before. It is invisible not because it is hidden, but because the systems we have built — procurement, operations, regulation — were not designed to see it.

Making it visible requires accepting that security and operational convenience are in genuine tension, that the supply chain problem cannot be solved by individual operators acting alone, and that the threat environment has already adapted to the opacity we have normalized. The question is whether policy will adapt at comparable speed.

Further Reading

CISA Advisory AA24-038A — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (Volt Typhoon). Cybersecurity and Infrastructure Security Agency, February 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

Benson, Chuck. Managing IoT Systems for Institutions and Cities. Taylor & Francis/CRC Press, 2019. The foundational practitioner framework for understanding IoT data pipeline risk, including supply chain exposure across the full sensor-to-output stack. Available through most research libraries.

CISA. Software Bill of Materials (SBOM) Resources. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/sbom — The authoritative federal resource on SBOM standards, formats, and implementation guidance for critical infrastructure operators and vendors.

New book on managing IoT Systems out this week

Leave a reply

My new book is coming out this week. Printed version out Thursday & electronic versions are out now on several sites including Amazon. “Managing IoT Systems for Institutions and Cities” is for institutional and city planners, managers, and operators as well as academics and IoT Systems vendors.

Topics include:

  • Differences between traditional enterprise IT and IoT System deployments
  • Establishing success criteria for IoT Systems deployments in your institution or city
  • Considerations for cities and institutions across the life cycle of IoT Systems:
    • IoT System selection
    • Procurement of IoT Systems
    • IoT System implementation and deployment
    • Managing and operating IoT Systems
    • Retiring IoT Systems
  • IoT Systems vendor relationships and vendor management
  • Importance of manageability of IoT Systems
  • Assessing the manageability of different IoT Systems
  • Managing multiple interdependent IoT Systems with the institution or city
  • Institutional strategies for managing these systems

Printed version available Thursday 7/17/2019. Electronic versions available now. Available from:

CRC Press

Amazon

Taylor and Francis direct

The Telegraph Bookshop

Routledge

and others …

IoT Systems risk mitigation talk at University of Wisconsin-Madison Lockdown Conference

Leave a reply

Jan Cheetham and I speak on IoT Systems risk mitigation at the University of Wisconsin-Madison Lockdown Cybersecurity Conference in July.

IoT Systems risk mitigation in institutions and cities

Hearing transcript: China, the United States, and Next Generation Connectivity

Leave a reply

hearing transcript – IoT, 5G, US & China

The transcript of the hearing on “China, the United States, and Next Generation Connectivity” before the US-China Economic and Security Review Commission, addressing IoT and 5G technologies, came out this week and is available here. My testimony is early in the document. See earlier post for overview.

Testimony before US-China Economic & Security Review Commission re IoT & 5G

Leave a reply

Earlier this month, at the invitation of the US-China Economic and Security Review Commission, I submitted written testimony and subsequently testified at the China, the United States, and Next Generation Connectivity hearing regarding IoT Systems risk mitigation for institutions and cities as well as considerations regarding 5G deployments on the same.

A copy of the written testimony is here. A transcript of the oral testimony will be available in the next weeks.

The testimony discussed potential benefits of IoT Systems for US government, cities, universities, other institutions, and companies. It also discussed risks to those same entities from IoT Systems implementations. The risks discussed include:

  • Supply chain risks
  • Poor selection, procurement, implementation, and management of IoT Systems
  • Lack of institutional governance and lack of awareness of social-technical issues in IoT Systems deployments

Prior to the testimony, I was asked how the US government could help. I suggested these four areas in the testimony:

  • Standardized provenance vetting and reporting for IoT device components
  • Support for increased US labor force training in Operational Technology (OT) skill sets
  • Support for development of institutional and city IoT governance frameworks
  • Support for data ethnography and socio-technical research and application in context of IoT Systems

The testimony also included comments on supply chain risks:

Provenance of multiple components across thousands, millions (or more) devices is challenging

As well as aspects previously discussed in this blog such as the ability of an institution or city to manage their IoT systems:

where the wild things are [reference to Sendak]

Full written testimony is here:

Click to access Chuck%20Benson_Written%20Testimony.pdf

Bathtubs, manageability, & IoT

Leave a reply

The limited funding and staffing resources inherent in almost all institutions and cities creates a delicate balance between IT systems operations, managing institutional risk, and cybersecurity operations. A critical component to this balance is systems manageability. Implementing unmanaged/under-managed systems can quickly perturb this balance and cause reactionary spending, such as on cybersecurity incident response, institutional reputation damage control, unplanned systems repair dollars, as well as others.

IoT Systems — with their multi-organizational boundary spanning, unclear systems ownership and accountability, lack of precedence for implementation, and high number of networked computing devices (‘Things’) — are particular candidates for unmanaged/under-managed systems in a city or institution. 

Systems manageability

IT systems that tend to be more manageable allow for more predictability in an institution’s resource and cashflow planning.  Criteria for high systems manageability include:

  • having well-defined performance expectations
  • thoughtful and thorough implementation
  • accessible training and documentation
  • strong vendor support
  • others

Unmanaged or under-managed systems increase the likelihood of a cyber event such as device compromise or whole system compromise as well as facilitate potentially substantial operations disruption and unplanned financial burden. 

Bathtub modeling

We can use some concepts from stocks and flows diagrams where the stock is represented by a bathtub to create a basic model of resource availability in this delicate dance of balancing of resources for IT systems operations, cybersecurity operations, and managing institutional risk.

My understanding that the use of a bathtub to represent stocks and flows goes back to 2000 when John Sterman and Linda Booth Sweeney published results of an experiment on how people understand and interpret complex systems. On a related note, I found the book, Thinking in Systems, by the late Donella Meadows to be a very consumable and helpful introduction to stocks and flows diagrams.

bathtub metaphor for stocks and flows

The idea is that the ‘stock’ is the level of water in the tub. Water can flow into the tub, raising the tub level, and that amount can be varied by some mechanism(s) or external constraints. Similarly, water can flow out of the bathtub, draining the tub, and there is a mechanism for controlling the rate of that outflow. And, of course, both could happen at the same time.

Bathtub of bucks

inflows of $$ increase the tub level, outflows of $$ decrease the tub level

Now, imagine that instead of water, the tub holds metaphorical dollars. The tub can be thought of as an account, a set of funds, ‘budget number’, set of budget numbers, or similar. The inflows then are one or more sources for adding dollars to that tub with a mechanism or set of constraints that determines the rate of flow into the tub. Similarly, there is a mechanism for setting how much flows out of the tub (spending or investing).

City and institutional spending

Cities and institutions have multiple sources of inflows, most of which they probably don’t control. Those inflows have independent characteristics from each other as well as some interdependencies with each other. The main takeaway is that the city or institution probably does not control a whole lot regarding what’s coming in.

The spending from the top tub can go to multiple places, themselves other tubs. From the top bathtub, most organizations make decisions between operational dollars (running things) and capital dollars (buying or building big things).

splitting between operational $$ (running things) & capital $$ (buying or building things)

IT & cybersec resources & spending

From the operational dollars tub, some funding goes to IT operations, some goes to cybersecurity operations (eg CISO’s office), and other funding goes to many other traditional and important areas such as HR, finance, policy/law enforcement, and others.

Operational dollars, in turn, gets disbursed across multiple other operational tubs

In the interest of keeping the diagram simpler for our discussion, we won’t include capital spending or non-IT/cybersec spending in subsequent diagrams.

IT systems services and cybersecurity services

Funds from the IT operational bathtub are used to resource the management of various IT systems and sub-systems in the institution or city. This includes both on-premise systems as well as cloud-based systems. Examples include enterprise resource management (ERP) systems, institutional learning/training systems, calendaring and email systems, and others.

Systems that have known performance expectations and implementation precedents (either themselves or peer implementations) can provide the basis for a fairly reasonable calculation to be made on required staffing and funding support requirements.

Similarly, the city/institutional department/organization providing information security services  (usually the CISO’s office) also has a set of well-managed services that are planned for and delivered. Examples of these information security services might include: education and outreach, incident management capability, privacy policy guidance, intelligence analysis, and others. The CISO’s office will work to develop services and capabilities based on the IT systems that the city or institution is operating, known and evolving threats and vulnerabilities, existing risk levels, and others.

resourcing planned and reasonably well-managed systems and services

 

The trouble with unplanned, under-managed, and unmanaged systems

Managing and identifying management support resources can be challenging enough with known systems. Challenges and institutional risk quickly becomes exacerbated though when unplanned or weakly planned systems are added. For example, after the budget/planning cycle, an influential person or group may decide that the city or institution “must have” System X. And then later someone else with influence might insist on (unplanned) System Y.

When these unplanned or under-planned systems are added, several deleterious things can happen:

  • the unplanned system drains from the IT operational funding tub in the forms of implementation staffing, management staffing, and support tools  
  • planned systems now no longer have their expected resources and they themselves can become under-managed in addition to the add-on system that is very likely also to be under-managed
  • institutional/city risk increases because unmanaged/under-managed systems increase likelihood of system comprise due to misconfiguration, mismanagement, lack of oversight, failure of (or lack of application of) controls
  • things get worse as the problem also transmits to a different bathtub, ie the information security services provider for the city or institution, eg the CISO’s office
  • when compromise occurs — particularly on systems that the CISO’s office could not plan for — the CISO’s office is now forced to work in a reactionary mode. This is expensive and pulls resources from planned cybersecurity services

unplanned, under-managed systems also transmit their problems to the CISO’s office in the form of increased likelihood of systems compromise

IoT Systems often fall into the unplanned, under-managed category

Several aspects of IoT Systems deployments can contribute to them having high risk of being weakly planned and under-managed systems —

  • lack of precedent for implementation & management
    • cities/institutions don’t have deep experience with these systems
      • true for all phases – systems selection, procurement, implementation, & management
    • few, if any, peer cities/institutions from which to learn for systems expected to last years or decades (sufficient time hasn’t gone by)
  • accountability and ownership unclear
    • IoT systems span many organizations within a city or institution
    • most organizations are not familiar or practiced at coordinating with each other in this role
  • acquisition path – IoT Systems can come into the institution through many non-traditional paths
    • these IoT Systems are rarely acquired by central IT
    • even if acquired through central IT, traditional systems vetting approaches not sufficient
  • no established vetting of IoT systems prior to purchase
    • performance expectations unknown or unclear (see ownership above)
  • the city or institutional department acquiring the system might not be the one supporting the system
  • Newness and rapid evolution IoT Systems makes them hard to discuss, categorize, and plan for

the newness, novelty, and rapid evolution of IoT Systems will continue to make very susceptible to being under-managed systems

Rapid evolution of IoT Systems vs glacial pace of institutional change

While there are no silver bullets or magic technologies (and we shouldn’t spend much time looking for them) to address these added risks that IoT Systems bring, there are things that we can do now, or at least begin now, that can positively impact our risk exposure as institutions and cities. While we’re interested in mitigating risks that we have now from IoT Systems, the impact of IoT systems in our cities and institutions in the future will be much higher.

Some things that can be done now include —

  • establish a set of criteria for your city’s or institution’s for IoT Systems
    • circulate and share this across the organization
    • one starting point is here
    • a related document from the Internet2 IoT task force on IoT risk  is here
  • identify IoT Systems ownership and accountability
    • require before acquisition
  • identify institutional language used to communicate traditional risk & incorporate that into IoT risk conversations, guidelines, and planning
  • consider an IoT Systems oversight group for your city or institution

Making broad changes, perception changes, and policy changes in cities and institutions is arduous work that takes time, leadership, political capital, and patience.  It is important that we begin now because this level of institutional change will likely take some time and the impact of not making the changes is increasing rapidly.

 

Supporting (& paying for) the network segments that support IoT Systems

Leave a reply

Network segmentation is often promoted as the answer to IoT device and systems management and risk mitigation for an institution, city, or corporation. While segmenting networks is important, a subtle problematic aspect is that:

  1. segmenting networks takes work, energy, and resources in the form of initial investment and ongoing management and oversight
  2. numbers of network segments growth may well track with IoT device count growth – which, at least for the next few years, appears exponential
  3. cities and institutions may not be planning for increased network management resources to support IoT Systems deployments

Success criteria for an IoT System implementation

I use a two overarching component criteria to define a successful IoT System implementation for a city or institution —

1. ROI – does the system perform as expected for the actual (vs projected) costs of deployment and subsequent management

2. Cyber risk – did the implementation of the IoT System make the city or institution worse off in the course of deploying and operating the system?

A key aspect to both of these criteria is system manageability. An unmanageable or difficult to manage system costs more in terms of staffing, rework, repair/updating, and operational disruption. At the same time, a difficult to manage system can create cybersecurity vulnerabilities — both seen and unseen — and divert limited institutional resources from existing operational, cybersecurity and risk mitigation activities.

Similarly, as IoT Systems need to be manageable to positively (at least not negatively) affect ROI and institutional risk profile, the network segments supporting IoT Systems also need to be manageable.

Managing the network segments that support IoT Systems

Networks are no longer, “make this thing talk to that thing,” or “make these things talk to those things.” Network management requires a robust set of supporting system services that support consistent connectivity, resilience, real-time health reporting capabilities, and rapid network diagnostic capabilities.

In addition to these core network support services, for IoT Systems deployments, there is another overarching criteria needed to successfully support and manage networks that support IoT Systems —

The IoT System owner should be able to measure, monitor, and determine performance of the IoT System(s) at any particular point in time. This supports both the effort of determining ROI as well as providing visibility for cyber risk mitigation.

In the case of a city, the IoT System owner might be the city’s transportation department while the network provision is provided by or contracted through the city’s central IT organization. In the case of an institution, such as a research university, the IoT System owner might be an academic department purchasing and deploying an IoT System to support a research grant while the underlying supporting network segment is supported by the university’s central IT organization.

The IoT System owner should not be relying on the network provider to provide IoT application/system management and diagnostic services. IoT Systems are evolving so rapidly, it is very unrealistic to expect the network services provider to have the resources or wherewithal to keep up with the nuances of each new IoT System deployment, much less manage the performance expectations for a rapidly growing number of different IoT Systems.

Examples of IoT System/application-specific network services include:

  • enumeration – how many things/devices are on this network?
    • Is this count different from yesterday? By how much?
  • identification – how many of these devices belong to my IoT System? Have I seen them before? Yesterday? a month ago? How rapidly is this changing?
    • Is what I am seeing different from what I was expecting?
      • (Did I know what I was expecting?)
  • Application-specific network device awareness and health
    • Device heartbeat – are you there?
    • Device performance specifics –
      • Is device characteristic 1 returning a result within acceptable constraints? e.g. voltage level
      • Is device characteristic 2 returning a result within acceptable constraints? e.g. device temperature,outside air temperature (OAT)
      • Is device characteristic 3 returning a result within acceptable constraints? e.g. response time
      • Is device characteristic n returning a result within acceptable constraints?

Accomplishing these requirements is not free. Some technology investment is needed, but more importantly, an organizational framework that supports this activity is necessary.

Growth of devices & growth of network segments

While we don’t know what the rate of growth of network segments is or will be, we can be pretty sure that it will continue to grow for the foreseeable future. This growth in network segments stems from at least two reasons, 1) network segments whether VRF’s, VLAN’s or other are easier to implement than they used to be, and 2) network segmentation is currently a popular strategy for addressing IoT Systems risk mitigation. (Regarding the latter, I believe that this is in part because we don’t know what else to do — when all you have is a hammer, everything looks like a nail).

There are multiple projections that IoT device count is growing at an exponential rate, such as this Ericsson Mobility Report that suggests a 23% annual rate of growth between 2015 and 2021 and this McKinsey report that suggests 15% – 20% annual growth by 2020. Related projections on IoT market growth can be even higher with annual growth over of 50%.

This ongoing steady (or more) growth year after year appears to be exponential growth. While IoT devices don’t compound each other like dollars do, the growth count curve still appears exponential. To borrow from the idea of compounding (exponential) growth in finance — we add 1 to the rate of growth and raise that sum to the number of years out that we want to project and then multiple that whole thing by the starting count —

(Wikipedia)

So, let’s say that we start with 10,000 IoT devices in a hypothetical city or institution and that the growth rate in IoT device count over the next few years is 20% . That growth curve looks something like this —

exponential device count growth @ 20%

(As a quick side note, we can see the Rule of 72 providing a rough estimate of the time it takes to double, about 3 1/2 years, at work here).

Now let’s say that there are currently 1000 network segments (VLANs, VRFs, etc) in that city or institution and consider two hypothetical growth trajectories — one exponential at the same rate as the device count growth rate and one linear growing at 1000 network segments per year.

Hypothetical exponential growth at 20% and hypothetical linear growth at 1000 segments per year

While don’t know exactly what the network segment growth rate or trajectory will be for cities and institutions in particular or in aggregate, we can expect that count to continue to grow for the next several years. With that growth comes an increased demand on institutional and city resources. The question is, are we planning to resource that increase in demand?

Network segmentation management — impacts on ROI & institutional cyber risk

As mentioned earlier, to manage network segments for successful IoT systems implementations, at least two components are required — manageability of the network segment itself and manageability of the specific IoT System(s) on that network. Without both of these, the likelihood of an IoT System’s success for the city or institution is low. Without both of these, the city or institution can expect to feel negative impacts to ROI, the city or institution’s cyber risk profile, or more likely both.

Because both of these success components require current resourcing (eg staffing and tool investment) and planning for future resourcing, success is not guaranteed. If we’re not thoughtful about implementation, we could end up with broad portfolios of a rapidly growing number of unmanaged or under-managed networks. And that’s not good for any of us.

 

Smart campuses & IoT systems deployments

Leave a reply

New article, ‘Smart Campuses Invest in the Internet of Things’, from Campus Technology magazine re smart campuses, IoT, and organizational support challenges and changes for IoT Systems.

[image from Campus Technology magazine]