Académique Documents
Professionnel Documents
Culture Documents
they can more easily cause real- ers to use rogue wireless infrastructure and in-
tercept traffic between devices and cloud-based
world damage to life and limb. management systems, thus opening the door to
compromised data and penetration of upstream
assets and applications.
Imagine the failure of a telematics system directing
Device Spoofing: Improper implementation
your autonomous vehicle, or firmware operating of digital signing technologies like public key
life-sustaining medical devices or the electric grid. infrastructure (PKI) can enable a knowledgeable
attacker to spoof legitimate devices and disrupt
Product Liability IoT deployments.
Malware: Cyber criminals are fast adapting their
While traditional product liability law is well estab- creations to operate on embedded IoT devices, in-
lished, it is less clear on the role that software and cluding point-of-sale systems, home broadband
cloud-based infrastructure providers may have in routers, and connected health devices.
failures that result in liability or other legal claims
Application-based Attacks: Application vulner-
involving connected products.1
abilities pose one of the most significant risks to
the Internet of Things. Attacks that target secu-
Business Disruption rity weaknesses in the firmware and applications
running on embedded systems, or on back-end
With the IoT, a balky software update that previously
application and database servers, can provide
would have been a headache for in-house users can
instant, high-level access to IoT deployments.
now ground an entire fleet of cars or trucks. A failure
at a cloud provider hosting IoT services could cause
regional or even global disruptions to IoT deployments
and the businesses that rely on them.
1
http://www.law360.com/articles/646492/3-ways-internet-of-things-will-impact-product-liability
0101
0101
1010
0110
0110
External Information Sources
Rules / Analytics Engine
Communications Infrastructure
Network and System Administrators
Compliance/Regulatory Risk
CORE IoT COMPONENTS AND USERS
In regulated industries, IoT deployments will compli-
cate the already difficult job of identifying and secur- Smart, Connected Products
ing protected data and devices. Whether it is protected
health information or credit card data, organizations Cloud-Based Services
will need to expand their current audit and compliance
regime to encompass IoT devices and their supporting Smart Product Applications
infrastructure and data in the cloud.
External Information Sources
CORE COMPONENTS AND USERS
Business Systems
The first step to addressing IoT risk is to understand
Communications Infrastructure
the key components of typical IoT deployments.
Connectivity
Properly addressing the full scope of security concerns
requires careful planning and investment at each level IoT Users
and with each component in the IoT value chain.
foundational element of the IoT. With the IoT, companies and end users will increasingly
gain the ability to integrate data from a fast-growing
As companies deploy ever more diverse connected ecosystem of information service providers tapping
products and devices, the applications, storage, into product, service, environmental, business, gov-
compute power, and intelligence that support them ernmental, and social sources.
generally shift from powerful endpoints like desktop
Business Systems
and laptop computers to systems deployed in
the cloud. While the IoT is changing our definition of what is and
can be a computer, organizations that wish to reap
Additionally, management and analytics platforms
the benefits of IoT devices still must find a way to
hosted in the cloud are an ideal way to manage glob-
integrate IoT data into existing mission-critical appli-
ally distributed populations of thousands or millions
cations and processes such as PLM, ERP, CRM, and
of connected endpoints. Already, cloud-based services
SLM if they wish to create new, innovative applications
provide platforms to deploy and manage IoT applica-
and services.
tions and collect, store, and analyze data from smart,
connected product endpoints. Cloud-based manage-
Communications Infrastructure
ment servers provide resilience, scalability, and
easy access to third-party applications and services The IoT is deployed on top of existing communications
provided by business partners. infrastructure, including wired, wireless, cellular (3G
and 4G), and satellite communications which connect
intelligent endpoints in the field to applications and
management infrastructure in the cloud.
IoT Users
Devices
Finally, IoT deployments typically involve a wide range
Poor product planning, design, and development are
of end users of the smart, connected products, as
the root causes for many IoT-related security incidents,
well as business and IT users inside the company
from leaked data and invasions of privacy to compro-
and with partners. The end users are typically your
mises of sensitive IT environments.
own customers or the end users of your customer or
partner organizations. They might interact with your
Even when IoT products ship with robust security
products in any number of settings, including home,
features, they often have default configurations that
office, factory floor, car, store, hospital, or sports or
undermine those features. The net result is often IoT
entertainment venue.
devices that are easy prey for malicious actors operat-
ing within or even outside of a protected environment.
Business users help define the objectives, scope and
purpose of IoT initiatives, and benefit from the services Cloud
and data they provide. For many business users, this
requires new skills and new ways of working. Robust cloud-based applications and infrastructure
provide the backbone of IoT deployments. Securing
Network and systems administrators perform many that infrastructure and communications to and from
of the same tasks they do for traditional IT but with IoT endpoints, applications, and information sources
a much broader and more complex set of assets, is one of the most important considerations for any
applications, data, and users to manage, support, organization looking to launch a new IoT offering or
and secure. migrate existing products to the IoT.
Shared Components
ONE SIZE DOES NOT FIT ALL
Off-the-shelf boards with programmable SOC (system
on chip) integrated circuits have eliminated many of The wide range of IoT strategies, programs, and
systems require smart- and connected-device
the costly, early stages of IoT device creation. Powerful
makers and their customers to carefully weigh
development tools and languages make it relatively
many industry-, device- and deployment-specific
easy for companies to set up device-to-device and
variables to find the right levels of security across an
device-to-cloud communications, endpoint manage- increasingly complex ecosystem.
ment and updating, and new application and service
design in support of IoT devices. Some things to consider:
The same is true of applications that are used to access 7. Secure Users and Access
IoT management interfaces via mobile apps or web
browsers. Like the services they connect to, mobile It should go without saying that the diversity of end
apps and web-based GUIs are susceptible to brute- points and services that define the Internet of Things
force password guessing attacks and theft of creden- creates new and challenging use cases that must be
tials through man in the middle and other snooping supported. For example: A smart city deployment
attacks. Both mobile and traditional PC platforms focused on garbage collection may need to accommo-
are also susceptible to malicious software infections, date everyone from smartphone-carrying citizens,
making local data theft and interception or manipu- to sanitation workers charged with emptying the
lation of session traffic a possibility. containers, to data analysts employed by or working
on behalf of the city.
To minimize these risks, robust procedures are required
during initial design and subsequent maintenance of As with traditional IT products
IoT products and services to identify security vulner-
abilities in core and third-party software and libraries. and environments, careful
In addition, application program interfaces (APIs) used
by IoT applications need to be vetted to ensure that no thought needs to be given to
unauthorized backdoor accounts can provide unau-
thorized, administrative access to IoT deployments.
user roles and entitlements
during the design, development,
Finally, encryption of data at rest on IoT applications
and cloud services is required to protect inadvertent and testing phases of a new
data leaks or to limit the downstream impact of a
compromise of the IoT cloud application.
IoT deployment.
The proliferation of third party services and data with Organizations that are developing a new IoT product
IoT deployments greatly adds to the security challenge or creating a connected version of an existing prod-
in this area. Consider in advance how you will support uct need to consider the different use cases for the
potential partner connections and feeds and how you technology and the user roles that support those use
will manage access and entitlements for business cases. Simply making every user an administrator may
partners, contractors, and outside providers. make feature development simple and smooth deploy-
ment, but it could be a costly design decision once your
product is deployed.
LOOKING AHEAD
ABOUT PTC CLOUD SERVICES
As companies embrace the Internet of Things, the
need to secure the newly connected billions of devices PTC Cloud Services has more than 15 years of
and the entire IoT ecosystem creates a set of questions experience helping clients realize the full value
and potential obstacles to broad IoT adoption. Com- of their solution investment by placing host-
panies anxious to accelerate their IoT initiatives must ing and application management in the hands
focus on, and invest in, a comprehensive and thought- of the experts. With hundreds of IoT deploy-
ful approach to security in order to minimize business ments already under management, PTC Cloud
risk and maximize return on investment. Services professionals have the know-how and
experience to help design, manage, and con-
This guide provides a starting point for discussions tinually optimize your IoT operations, security,
as well as seven specific steps that companies should and environment. They ensure consistent
take as part of the design, development, and imple- application availability with proactive moni-
mentation of an IoT strategy or solution. Organizations toring, performance tuning, and speedy issue
should use the guidelines presented in this document resolution with immediate access to PTC R&D
to begin building a solid foundation of security at and technical support.
the cloud, device, application, and service levels
that supports the reliable expansion of IoT products Talk to an expert or learn more at
and services. PTC.com/go/cloud.