Transforming IT
cancel
Showing results for 
Search instead for 
Did you mean: 

Addressing the Security Challenges in IoT Adoption with HPE Pointnext

SimonLeech

We’re at the beginning of the fourth industrial revolution (4IR), and a high proportion of the discussions we have with our customers in the manufacturing, smart city, and enterprise sectors are around how HPE can support digital transformations in the context of Industry 4.0. Whereas the third industrial revolution introduced computers, the Internet, and automation into society, 4IR aims to take this one step further, characterized by merging technologies that remove the lines between physical, digital, and biological domains, collectively referred to as cyber-physical systems.

GettyImages-182463664_RF_1600_0_72_RGB.jpg

In order to support this major technological shift, IT innovation plays a big role, as do technologies such as robotics, machine learning (ML), artificial intelligence (AI), the Internet of Things (IoT), and Industrial IoT (IIoT). In fact, it’s fair to say that in the majority of customer opportunities that we work on today that are driven by Industry 4.0, the work we have done around AI/ML and IoT has been a key differentiator. Take for example our collaboration with Kaeser Kompressoren to deliver real-time analytics that predict and prevent system outages before they can occur, or how HPE and Aruba have helped Texmark Chemicals to build a refinery of the future featuring advanced IIoT capabilities.

However, every time that a business contemplates adopting new technology and undergoing a significant digital transformation, it’s vitally important that security and risk management get considered at the beginning of the project. Undergoing a full analysis of the potential security risks and optimal risk mitigation strategy helps to address any concerns that a business may have up front. At HPE Pointnext we call this Security Everywhere.

Beyond the technology: designing the security architecture

If we look at this specifically from an IoT and IIoT perspective, one of the major risks is the redefinition of the corporate boundaries, and the need to move away from a security strategy decided by the four walls of the data center and towards a new approach that considers all of the connected “things,” wherever they may be located.

GettyImages-498204000._RFjpg_1600_0_72_RGB.jpg

IoT security starts with visibility, and technologies such as the newly announced HPE Aruba ClearPass Device Insight platform – which uses machine learning and crowdsourcing to automate the discovery and fingerprinting of all IP-enabled managed, unmanaged, and IoT devices on any wired and Wi-Fi network – certainly provide enterprises with technology that has not been available in the past. This gives businesses a head start in identifying and classifying the billions of newly connected IoT devices that we see each year.

But whilst security technology certainly helps, the value can be significantly increased if it is addressed as part of an overall security architecture. We do this by using the HPE P5 model, where we consider security in every digital transformation, looking at People, Policy and Procedures, Processes, Products, and Proof.  

We have used the P5 model, along with the HPE Enterprise Security Reference Model, to help develop our security solution reference architectures (SRAs). This includes the IoT Security SRA. The SRA provides customers with a multi-faceted view of the security landscape and provides a vehicle to assess requirements by taking a business, functional, technical, and implementation view, following the HPE model for IT Strategy and Architecture.

By using a well-defined framework, we can help customers to address the challenges around all of the major components of both the IT and OT domains. This includes covering domains such as risk, compliance, continuity, cyber defence and security operations, data and application security, identity, secure infrastructure, and physical security, all from an IoT perspective, as well as the processes and procedures behind these.

How security will change with IoT

Whilst a lot of the security controls will be similar to those in a traditional data center environment, there are a number of specific concerns that the SRA considers. Especially in the OT arena, devices are often installed in unguarded environments, and expected to “survive in the wild” for many years without intervention. So it’s important to look at the challenges around device and application security – for example by integrating controls into the software development lifecycle, or using technologies such as HPE’s Silicon Root of Trust to protect device firmware integrity. Identity and access management will also need to be thought about in a different way, particularly around enabling automatic certificate enrollment in constrained devices where traditional methods may no longer be suitable.

HPE20160714127_1600_0_72_RGB.jpg

The Security Operations Center (SOC) will also have to be integrated into the new infrastructure to help with identification and mitigation of security incidents as they occur, and likewise the enterprise risk management function will have to be extended to understand any new risks.

Whilst the above are just a couple of examples of how security will change with IoT, it’s important to fully understand the implications early on in the project lifecycle. One of the services that we have developed to help customers navigate through the challenges of IoT security is the HPE Security Analysis and Roadmap Service for IoT. This service provides an actionable plan, IoT security architecture, and roadmap to address security technology and controls in the context of a digital transformation.

Learn more about our security reference models and solution reference architectures and how HPE Pointnext can help you secure your digital transformation at HPE Security and Digital Protection Services  or reach out to your local HPE representative.

Related Articles:

0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and working in the Worldwide Security and Risk Management Practice within HPE Pointnext Advisory and Professional Services. Simon is active on Twitter as @DigitalHeMan

Labels