Understanding and Scoping Risk in Large IoT Project Planning
The only real security that a
Henry Fordmanperson can have in this world is a reserve of knowledge, experience and ability.
As I’ve stated in other articles, it is critically important to clearly define what IoT means for your project. Without a clear definition you drive up the risk of cascading human error throughout the project. This is where the Gartner IoT Reference Model I shared in my 20 Years of IoT article comes in handy. I use the Gartner model extensively first because its as close as I can find to a neutral body (between vendors and customers) and its good (technically sound).
Learning from their model; the next step in scoping risk for your project is to define what Tiers, Layers and Interfaces your proposed solution architecture contains. Building out your solution architecture takes time to do well. Many with an engineering background can quickly design a technically sound architecture but there is often little operative or interoperability considered in the design. Others with no little to no engineering background will build beautiful slideware that looks like it could work…but lacks the technical depth of tech considerations required to be feasible.
Generally speaking, I focus the security section of my IoT project planing on 5 primary security tiers:
- Presentation Tier
- Domain Logic Tier
- Data Storage Tier
- Physical Infrastructure Tier
- Operational Tier
These general tiers help to provide qualitative and some quantitative data to deeper security planning and assessments later in your IoT project. They are very much informed by and align to my age old resource, the National Institute of Standards and Technology (NIST) guidelines. Within their vast volumes, I specifically leverage the Framework Core they provide. Reference below and a good explanation of each step by Ethan Bresnahan from Oct 2019 can be found here.
In order to help you get the best first Basis of Design (BOD) established that will ultimately result in a viable solution architecture; I put together a basic checklist of considerations together. I use this approach in the early stages of building a solutions architecture to determine a very high level scoping of security considerations.
Discovery
- When was the last time the user ran a systems wide security and risk assessment?
- Did these assessments include both production and non-production systems?
- Did these assessments include physical security threats?
- Did these assessments include internal personnel threats?
- If these assessments where not done in the last 12 months, will your IoT project also include them?
Operations
- How many tenants, how many systems and what is the scope of systems interoperability?
- What level of network security is the standard and is that standard always met before access is granted?
- What is the standard operating procedure when the company acquires another? Does it include adherence to the acquirers security standards?
- What operations have what mix of physical and systems security dependencies (i.e. is it a maintenance operation for example?)
- What operational threats have already been identified? Are there known gaps already?
Physical and Infrastructure
- Do systems, physical and access to infrastructure levels of security match? Said another way, do the data centers have Tier IV network security but no physical barrier to prevent a dump truck from driving through the front door?
- Are staff with privileged access to secure locations fully vetted?
- Is there an existing video surveillance system? If so, how contemporary and how is it accessed (systems and physical)?
- What is the current security posture on physically removable disks? Are “USB sticks” allowed? Can a data center technician walk out with a bag full of SATA drives?
- Does the user physically partition infrastructure based on security attributes (aka secure infra tiering)?
Network and Systems
- How many applications does the company currently maintain? Is an org-wide application profile available?
- How many networks do they run, what is the security architecture for each, how contemporary is it?
- Are their networks standardized by vendor or in any other way (software defined networking)?
- What is their policy on mergers and acquisitions and how does it effect network security?
- What is the current scope of systems interops including API’s and any other exchanges that happen between systems?
While I’ve not spent all that much time dedicated to specifically to security in my career, I’ve been in and around it a lot. So much so that I think this exposure, coupled with my military upbringing has culminated in a security minded approach to IoT. The questions and approach I’m just touching on in this article is reflective of 100’s of pages of in depth considerations that can go into even a single user/project. My larger challenge in writing this was in consolidating and prioritizing all that content in to a basic checklist approach.
So please don’t look at this post as not all that is needed to have your IoT project plan “security assessment ready”. It is simply a high level guide to help ensure a solid, basic scoping of your IoT project. Once you have a basis of design that you will move to a solution architecture…you have only taken the first 2 steps. With that initial solution architecture you will then need to gear up for the many reviews and challenges it will go through before final approval. The security, network, storage and larger enterprise IT org will all need to sign off…and it happens fast! Having these questions already asked and hopefully answered makes your IoT project better.
The final point I will make on using a list of good questions to scope your project is around relationships. It doesn’t jump out in an article like this but when you come in with good questions, it already sets you apart. And you have to ask these questions of many of the same people who will later have influence over the success or failure of your project. As you do, you start to build solid relationships of trust…simply because you’re asking the right, bigger picture questions early on.
Feel free to comment below on this article and please share any other resources out there you like. I for one really like what RSA is doing these days and I’m giddy with excitement to see what they will do post Dell. I already love their IoT Security Monitor (dash below). They’ve covered just about everything I mention above in the Discovery section and a bunch on the Network as well (all the way to the edge!). More on their offer here.