Interviews

Risk assessment in any IoT rollout

by Mark Rowe

Matthew Margetts, a director at IoT company Smarter Technologies, which offers tracking and ‘smart building’ products, writes on the importance of IoT risk assessments. While cyber security needs round-the-clock consideration, the process of mitigating risk should not be onerous, but rather positive. These risk assessments, as Matthew tells in his opinion piece, are about being prepared to meet the challenges as they happen, rather than having to take remedial action later down the line.

The Internet of Things (IoT) is a wonderful phrase that communicates the positive power of technology in the home or workplace, and the ability to take control to direct an outcome remotely. No ambiguity—you ask for it to happen, and *puff*, it is done. From switching heating controls to flushing toilets and replenishing items, the IoT automates, optimises and controls both simple and complex day-to-day tasks.

But what if the control is hijacked by someone unknown, operating at a distance with a dark motive? Impossible to imagine … or is it? I recently heard of white supremacists in the United States seeking to take control of the automated chlorine (Cl) release valves at a municipal water treatment works. Their intention was purportedly to increase the levels of Cl in the water. Why? Did they want to bleach everyone, to lighten the population in some misguided way? Ultimately, the “purification purge” failed, but it did act to spread fear even terror of simple technology being turned against the community.

As a manufacturer of remote monitoring and control equipment, I was recently asked about security to prevent third-party attacks along with the security audits we support and sponsor. At this point, it must be noted that we use radio spectrum that is not truly “Internet of Things”, but we are lumped into that category (perhaps because Radio of Things is not a good acronym?). But the principle of security is the same: one must undertake a risk assessment on any equipment being introduced.

At a minimum, the risk assessment should cover:

What are you monitoring?
How is this being done?
What would happen if the data were lost, tampered with et cetera?

In 99pc of cases, the risk is minimal as the data flow is linear, heavily encrypted, backed up, and the monitors do not affect the operation of the underlying equipment.

Where a device can take control—such as in an auto flush system or entry door control mechanism—clearly, the operational software and device firmware need to be understood, and, at minimum, meet UK standards. Further, the operational protocols need to include provisions for if the equipment malfunctions, how that is captured and remedied. If people get locked in a revolving door, for example, you need definitive, easily accessible information on how to get them out.

IoT risk assessments are not onerous. I believe that conducting a risk assessment allows the client to look at the operations of a property or unit independently of the IT piece. This presents an opportunity to consider separate systems and outcomes. Importantly, the client considers how they act on the data they are capturing, ensuring that the patterns that are revealed are understood and that the associated benefits can be harnessed across the organisation.

Cyber security is a 24/7 consideration, but the process of mitigating risk should be a positive experience. It is about being prepared and ready to meet the challenges rather than having to take remedial action.

About the author

Matthew Margetts is Director of Sales and Marketing at Smarter Technologies. His background includes working for blue-chip companies such as AppNexus, AOL/ Verizon, and Microsoft in the UK, Far East and Australia.

Related News

  • Interviews

    Chatbot implications

    by Mark Rowe

    Will AI make us more secure? asks Monica Oravcova, COO and co-founder of Naoris Protocol. ChatGPT, the dialogue-based AI chatbot capable of…

  • Interviews

    Not so petty theft

    by Mark Rowe

    Recently I was the victim of a petty theft, Paula Mathers writes. Despite being a petty crime, it was annoying, frustrating and…

  • Interviews

    Lessons from Kaseya

    by Mark Rowe

    Jennifer Bisceglie, CEO and founder of cyber firm Interos, writes of how protecting the supply chain is now integral to cyber security.…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing