Monthly Archives: September 2015

Institutional considerations for managing risk around IoT

socket

sockets for vendor products & services

There are a number of things to think about when planning and deploying an IoT system in your institution. In posts here since last spring, several issues have been touched upon — the idea of sockets and seams in vendor relationships, the rapid growth in vendor relationships to be managed and the resulting costs to your organization, communicating IoT risk, some quick risk visualization techniques based on Shodan data, initial categorization of IoT systems, and others.  The FBI warning on IoT last week is a further reminder of what we’re up against.

There is a lot to chew on and digest in this rapidly changing IoT ecosystem. Below is a partial list of some things to consider when planning and deploying IoT systems and devices in your institution. It’s not a checklist where all work is done when the checking is complete. Rather, it is intended to be a starting list of potential talking points that you can have with your team and your potential IoT vendors.

Some IoT Planning Considerations

  • Does IoT vendor need 1 (or more) data feeds/data sharing from your organization?
    • Are the data feeds well-defined?
    • Do they exist already?
    • If not, who will create & support them?
    • Are there privacy considerations?
  • How many endpoint devices will be installed?
    • Is there a patch plan?
    • Do you do the patching?
    • Who manages the plan, you or the vendor?
  • Does this vendor’s system have dependencies on other systems?
  • How many IoT systems are you already managing?
    • How many endpoints do you already have?
    • Are you anticipating/planning or planning more in the next 18 months?
  • Is there a commissioning plan? Or have IoT vendor deliverable expectations otherwise been stated (contract, memorandum of understanding, letter, other?)
    • Has the vendor changed default logins and passwords? Has the password schema been shared with you?
    • Are non-required ports closed on all your deployed IoT endpoints?
    • Has the vendor port scanned (or similar) all deployed IoT endpoints after installation?
    • Is there a plan (for you or vendor) to periodically spot check configuration of endpoint devices?
  • Has the installed system been documented?
    • Is there (at least) a simple architecture diagram?
      • Server configuration documented?
      • Endpoint IP addresses & ports indicated?
  • Who pays for the vendor’s system requirements (eg hardware, supporting software, networking, etc?)
    • Does local support (staffing/FTE) exist to support the installation? Is it available? Will it remain available?
    • If supporting IoT servers are hosted in a data center, who pays those costs?
      • startup & ongoing costs?
    • Same for cloud — if hosted in cloud, who pays those costs?
      • startup & ongoing costs?
  • What is total operational cost after installation?
    • licensing costs
    • support contract costs
    • hosting requirements costs
    • business resiliency requirements costs
      • eg redundancy, recovery, etc for OS, databases, apps
  • How can the vendor demonstrate contract performance?
    • Okay to ask vendor to help you figure this out
  • Who in your organization will manage the vendor contract for vendor performance?
    • Without person/team to do this, the contract won’t get managed
  • Can vendor maintenance contract offset local IT support shortages?
    • If not, then this might not be the deal you want
  • For remote support, how does vendor safeguard login & account information?
    • Do they have a company policy or Standard Operating Procedure that they can share with you?
  • Is a risk sharing agreement in place between you and the vendor?
    • Who is liable for what?

Typically, with the resources at hand, it will be difficult to get through all of these — maybe even some of these. The important thing, though, is to get through what we can and then be aware of and acknowledge the ones we weren’t able to do. It’s way better to know we’ve come up short given limited resources than to think we’ve covered everything when we’re not even in the ballpark.

Talking about IoT

word cloud from 3 business magazine articles on IoT

word cloud from 3 business magazine articles on IoT

I was curious if language in articles and blog posts on IoT varied significantly with the type of magazine or blog. So my unscientific quick and dirty research was to use three semi-arbitrarily* chosen articles from three different types of blog or magazine, do word frequency counts in each of these, and then from this do a word cloud where font size varies with frequency of the word count. The three magazine/blog types were: business magazine or blog, industry trade magazine or blog, and vendor magazine or blog.  (*I say ‘semi-arbitrarily’ because I chose them all myself and I’m sure my Googling/searching habits aren’t without some bias).

The first word cloud above was made by piling the words of all three articles together and then doing a word frequency count on the combined verbiage, sorting the counts, and then creating a word cloud. I used Wordle.net to do this and it makes the last three steps pretty easy to do.

Similarly, I made sorted word frequency word clouds for articles from three industry/trade magazines/blogs and did the same again for vendor magazines/blogs:

tradeiotwordcloud

word cloud from 3 industry/trade magazines/blogs

vendoriotwordcloud

word cloud from 3 vendor blogs

Side by side, they look like:

side by side comparison of the same

side by side comparison of the same (click to increase size)

While there are a number of things that could be done to make the comparison more robust (higher sample count, remove ‘stop words‘, etc), I think even this little snippet of samples shares some interesting results (or at least provides direction/motivation for digging deeper with a larger sample set). Some ‘eyeball’ observations from this sample set:

  • security & privacy more prevalent in trade/industry articles/posts
  • vendor articles/posts seem to hit harder on data
  • trades & vendors heavier on sensors
  • business sample skewed some with a chunk of text from one article dedicated to talking about IoT parking systems

Language use is important because, among other things, it directly affects how we categorize, classify, and discuss risk.

Again, no smoking gun here and there’s plenty of room to make this more robust, but the use of the language used to talk about IoT it becomes more prevalent might be interesting to keep an eye on.

 

**********
If you’re interested … the three articles/posts from business magazines/blogs were:
Wall Street Journal –
http://www.wsj.com/articles/the-internet-of-things-will-change-everything-1424664603
Forbes –
http://www.forbes.com/sites/jacobmorgan/2014/10/30/everything-you-need-to-know-about-the-internet-of-things/
Business Insider –
http://www.businessinsider.com/how-the-internet-of-things-market-will-grow-2014-10

The three articles/posts from industry/trade magazines and blogs were:
CIO magazine –
http://www.cio.com/article/2923475/innovation/cios-put-the-internet-of-things-in-perspective.html
Dark Reading –
http://www.darkreading.com/partner-perspectives/intel/securing-the-internet-of-things/a/d-id/1318072
EE Times
http://www.eetimes.com/document.asp?doc_id=1325079

And the three articles/posts from vendor articles/posts were:
Cisco –
http://www.cisco.com/web/solutions/trends/iot/introduction_to_IoT_november.pdf
Microsoft –
http://www.microsoft.com/en-us/server-cloud/internet-of-things.aspx
Atmel –
http://blog.atmel.com/2015/06/26/6-reasons-why-the-iots-true-value-remains-untapped/