An interview with Andrew Yeomans
Andrew Yeomans, CISO at ArQit will be speaking at this year’s Smart IoT, taking place at the ExCeL London March 12-13th.
We are constantly reminded of the threats linked to the proliferation of insecure IoT devices and systems, how real is the risk and what are the key concerns to prioritise?
When looking at IoT, there are two main risks to consider - the risk to the data the IoT device itself uses, and the risk to other data and systems on the same network.
You need to have some estimate of the value at risk to prioritise well; some IoT data may be simply "nice to have", some might be costly, and it depends on the context. For example, temperature data might be used for an informative display, or might be used to control expensive heating systems. Businesses therefore need to ask what happens if this data is leaked or altered or lost, and would these devices potentially provide access to other systems.
What dangers can legacy networks and approaches present?
Systems connected to legacy networks can make the assumption that any device on the network ("within the perimeter") is trustworthy, and so may assume other systems on the network are fully authorized and authenticated. In consequence they might not perform the correct checks on any input requests, or may be configured using poor security practices.
For those looking to reap the benefits of IoT, what simple tips can you offer for ensuring safety?
Understand what is at risk, directly and indirectly. Make sure it is mitigated. If all connected systems implement a "Zero trust" architecture, mitigating the risk becomes simpler, without complex network segmentation.
Looking to the future, what challenges can we expect to arise in IoT and how will businesses be able to adapt?
Understanding what has been deployed in an organisation will always be a challenge. As IPv6 networks become more common, it becomes less feasible to perform full network inventory scans due to the larger number of addresses. Understanding how systems interact will also be more difficult, especially when parts of those systems live "in the cloud".
Businesses can adapt by deploying better CMDB inventory systems, which will be enhanced to understand dependencies and external components, together with some measures of device certification state and also business value, so that risks can be much better measured and managed.