IoT Benefits and Vulnerability Management: Controlling the “What Ifs”
The Internet of Things (IoT) is reshaping the way we think about technology, security, and business. As most of the readers know, the promise of IoT involves connecting virtually everything from toasters to industrial valves and sensors to the internet. With such a shift to the approach in using technology, there are endless opportunities, and let’s not forget risks. CyberNB spoke with Chief Risk Officer of Enterprise Risk Management with the New Brunswick Treasury Board, Rick Ouellette to address managing the “what ifs” of IoT and minimizing vulnerabilities.
CyberNB: How do you envision IoT delivering benefits?
Ouellette: IoT will support unimaginable consumer and enterprise innovation, and in doing so, will likely provide cost efficiencies in product and service development and delivery. At work or home, IoT can be implemented to further standardize and automate workflows or tasks, thus contributing to effort reduction and outcome predictability. Also, this same IoT can be leveraged to provide countless data streams to systems that could further analyze these workflow ecosystems, resulting in decision aids in areas such as strategic planning, product development, and resource planning.
CyberNB: What is vulnerability management and how does it apply to IoT?
Ouellette: Much value lies in predictable outcomes. Conversely, unexpected outcomes often result in missed deadlines, cost overruns, and decision errors. There are numerous threats to IoTs delivering outcomes as expected, such as natural disasters, configuration errors, technology damage, and security threats. Note that by definition IoT is connected to the internet thus potentially exposing the technology and associated workflows to significant global threats. Vulnerability management aims to keep weaknesses that threats may exploit in check. I suggest there is a simple formula for calculating the risk to an expected outcome: threats minus vulnerability management effectiveness equals resulting risk exposure. If threats are unknown or unchecked, and the associated vulnerabilities are ineffectively managed, depending on the industries involved, significant health and safety concerns are likely.
CyberNB: What kinds of risks and vulnerabilities can IoT pose at home and on a larger scale?
Ouellette: It appears that IoT will soon be used in every facet of life and contribute to workflows in the enterprise, government, and at home. If we look at the home, more internet-connected things mean more threats directed to the home. For example, when we buy a baby monitor the outcome we want is the ability to monitor our child. However, a misconfigured or unmaintained (patched) device could deliver the unwanted outcome of worldwide strangers watching the activity in the room. That is just at home; on a larger scale, unmanaged vulnerabilities could impact the community through public spaces like the mall, public transit, subways, autonomous cars, or air traffic controllers. If you think about all of the potential IoT delivering desired results in each of the possible industries such as defence, energy, food, mining, industrial, you quickly appreciate the importance of vulnerability management.
CyberNB: How can businesses put more of an emphasis on managing IoT vulnerabilities?
Ouellette: It is accepted that businesses measure, monitor, and manage for example revenues, costs, and Workplace Health and Safety incidents. Similarly, companies should increase efforts in monitoring the health of vulnerability management with leading indicators of success such as actual-to-standard IoT configuration-variance trends, process maturity variances, and average response time to mitigate threat exposures. Additionally, measuring and monitoring incident lagging indicators, such as unplanned outages, data breaches, unexpected production speed variances, and IoT-caused accidents will add value. If businesses perform preventative maintenance and well-manage IoT vulnerabilities, the many benefits of IoT will far outweigh the costs.
With the likely proliferation of IoT into every industry and thus workflow, and the magnitude of potential benefits and risks to humans, it is not a stretch to think of proactively ensuring vulnerability management health as one would human health. Personal protection and employee safety must be at the forefront of IoT business decisions. Being aware of the risks and proactively managing them through vulnerability management will protect the economy, industry, and personal safety.
CyberNB is a special operating agency of Opportunities NB.
CyberSmart 2018 is quickly approaching! Register for North America’s first and only cybersecurity skills and workforce development event.