Nearly every conversation I have had around the Internet of Things (IoT) and what it means to an organization starts off with the question, “What is IoT?” This question is often followed by many people giving many different answers. I'm sure I won't solve this problem here in a single blog post, but I hope to add some food for thought.
What IoT is Not
You would expect to start off with a list of things that make up IoT, but I was thinking maybe the first thing is to define what it is not, if that is even doable. Reading through a 2014 article in NetworkWorld, “Eight Internet Things That are Not IoT” we find the following list of items analysts have listed as not being IoT:
- Traditional Mobile Phones
- DVD/MP3 players
- Game consoles
This list demonstrates how fast technology is evolving. While it was a pretty solid list when it was created two years ago, I think we can all agree that today, it's no longer accurate. Significant technological innovations in a number of these items means they are now considered either to be IoT in themselves, or directly tied to an IoT ecosystem. For example, smart TVs have the ability to watch us, record our every move, and communicate that information to a cloud API over the Internet. They also allow us to communicate and control them via voice and applications on our laptops, tablets, and smartphones.
Though the article discussed what is not classified as IoT based on its physical purpose, or requiring human interaction, it has quickly become outdated. Using this information, we can conclude that given the rate of innovation, what isn't categorized as IoT today, may very well be tomorrow, so trying to define what isn't IoT isn't necessarily the best direction to go in.
Traits of IoT
Maybe the better way to answer, “What is IoT?” is by defining the functions that make something IoT. Although, this process does have its own issues. For example, to be classified as a part of IoT, must it communicate to the Internet? If we claim that this is a litmus test for determining it, a large quantity of technologies currently classified as IoT that are in use with industrial and enterprise areas would not meet this requirement.
After reading through a number of documents and papers on the matter and reading many definitions there are four common elements I have identified that are part of the typical identification of IoT:
- Interrelated devices: IoT environments always consist of multiple interrelated systems and technologies which can include: gateways, sensors, actuators, mobile technology, cloud systems and host systems.
- Collecting and sharing data: IoT technology is always found to collect and/or share data from sensors and controllers. This data may be a simple as audio commands from your smart TV to the cloud, or as sensitive as data from a temperature sensor used to control a high pressure boiler system within a SCADA environment.
- Networked together: IoT systems are always network interconnected. This is required to facilitate the exchange of data between the interrelated devices that make up an IoT environment.
- Embedded electronics: Embedded electronics is the corner stone of the IoT. Their specialized functionality and reduction in size has helped fuel the growth of IoT. Without it, IoT would not exist.
Devices vs. Ecosystem
Of course, these four items on their own do not completely define IoT, or better stated, do not completely define the IoT ecosystem. Before we dig into the remainder of this definition, let's explore the concept of an IoT ecosystem. This is key to understanding IoT - we should not consider the technology as stand-alone devices, but rather as elements of a rich, interconnected, technological ecosystem. In a previous blog I stated the following:
“ecosystem—this is where we consider the entire security picture of IoT, and not just one facet of the technology.”
The ecosystem encompasses all of the interrelated parts that make an IoT solution work. Based on that, I believe any device or technology can be part of an existing IoT ecosystem, including desktop computers. If we try to label any technology as “not IoT” we are going to end up either rewriting the rules six months down the road or completely failing when we try to properly define security risk as they relate to deployed IoT solutions. The best way to solve these issues is to understand what an IoT ecosystem is so that we can more effectively define risk and develop solutions to mitigate those risks.
Traits of an IoT Ecosystem
As I said before, the IoT is not about stand-alone devices and if we try to approach it that way we will fall short trying to secure it. IoT is an environment that has an ecosystem that encompasses multiple devices (physical and virtual), technologies (mobile, cloud, etc.), communication methods (Ethernet, Wifi, Zigbee, etc.), and locations (internet, cloud, remote monitoring and control).
Continuing down that path, the following five bullets expand on the Traits of IoT listed above. There is no need for all of these to exist, but typically I find at least a couple of these items do apply to all IoT ecosystems I have encountered.
- Mobile technology
- Multiple end nods (sensors, actuators)
- Cloud APIs
- Multiple communications methods (Ethernet, Wifi, Zigbee, Bluetooth, ZWave)
- Remote Monitoring or Control
I believe by combining these two lists above into a series of questions we can identify the most common traits that make up an IoT ecosystem. This will help us identify the "whole" of an IoT ecosystem. In the end, by properly understanding and identifying the ecosystem we can better test, maintain, and properly secure our rapidly expanding IoT world.
- Which interrelated devices interact as part of this IoT environment?
- How and where do they collect and share data?
- Which technologies are networked together?
- Which systems utilize embedded electronics?
- Does it use mobile technology? How and where?
- Are multiple end nods (sensors, actuators) being used?
- What and where are the Cloud APIs and how do they interrelate?
- Are multiple communications methods (Ethernet, Wifi, Zigbee, Bluetooth, ZWave) being used? Which ones?
- What systems and locations use remote monitoring or control?
Hopefully I have given some food for thought and we can work on answering the bigger question, “What is the IoT ecosystem and how do we secure it?” I would love to hear your thoughts on this subject as we work together to secure the world of IoT.