As CIO for WSSC, which is a century-old public water utility serving Montgomery and Prince George’s Counties in Maryland, I realize more and more that it is critical for me to become a nimbler leader who is expected to constantly evolve, improve and communicate with my business partners more effectively to understand their needs and to be responsive in my service delivery. This evolution has challenged me to find new ways for the central IT organization to complement the business and enhance operations while balancing against the need to support and modernize existing infrastructure and systems.
It is reminiscent of the famous Bruce Lee quote, “Empty your mind, be formless, shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot it becomes the teapot.”
The role of CIO, as it exists today, must take on formlessness. Our roles are not what they were ten years ago and certainly not what they will be a decade from now, which means, if we want to remain relevant and effective as technology leaders, we must embrace the fact that technology change is constant, and that the level of business complexity will only continue to increase. This also means we must observe, learn, adapt and take actions that match the level of technical complexity we’re responsible for governing.
One of the advancements that increases complexity is the maturation of internet of things (IoT) devices onto the computing network. Although IoT is not all that new, our understanding and willingness to embrace the advent of technologies that are beyond our full control, as a strategic priority, is.
IoT is loosely defined as a network of end points that could include devices ranging from vehicles to thermostats and other appliances which contain electronics, software, actuators, and connectivity allowing those end points to communicate, interact and exchange data.
The introduction of these devices means our plans must now extend beyond standard computing devices such as desktops, laptops, smartphones and tablets, to a wide range of technologies that are able to communicate and interact over the internet.
Gartner estimates that by the year 2020, there will be over 20 billion commercial IoT devices to account for, which does not include smartphones, tablets, and computers. Cisco expects these 20 billion IoT end points to generate more than 500 zetta bytes per year in data, which will only increase exponentially, year over year. These same devices are also expected to have an economic impact of almost $9 billion yearly.
This explosion of technology means we must work aggressively to be prepared for an increased realm of responsibility. Obvious considerations such as cybersecurity, data aggregation, asset management, governance and legal concerns are foundational considerations to account for when carefully formulating plans for introducing IoT devices onto a production network.
Failure to do so is likely to result in increased liability and negative exposure for organizations that are otherwise already constrained from a financial and human capital perspective.
One visible example of the reputational damage that can be brought on by the blurring of the network edge, caused by IoT, is the Target breach which occurred in 2013. According to multiple published reports, the initial intrusion into its systems was traced back to network credentials that were stolen from a third-party vendor.
Obvious considerations such as cybersecurity, data aggregation, asset management, governance and legal concerns are foundational considerations to account for when carefully formulating plans for introducing IoT devices onto a production network
The vendor in question was a refrigeration, heating and air-conditioning subcontractor, working in multiple Target locations and with other top retailers. They supported Target by monitoring energy consumption and temperatures in stores through IoT devices, to save on costs and to alert store managers if temperatures in the stores fluctuated outside of an acceptable range, which could prevent customers from shopping at the store. To support this solution, the vendor was able to remote into the system to perform maintenance activities such as updates, patches and software troubleshooting.
This arrangement eventually resulted in a group of attackers using the credentials stolen from the subcontractor to push their malware to the majority of Target’s point-of-sale devices, allowing them to actively collect card records from live customer transactions. Once the event concluded, the breach had exposed approximately 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013, leading to a significant reputational and financial hit that took Target years to recover from.
The Target example is only one of many possible examples but highlights the need for strong policies and governance that actively restrict access to network resources by third party vendors. It also highlights the express need for network segmentation which would limit the ability for an attack to propagate fully throughout the entire enterprise, reducing overall exposure and liability.
In addition to policies and governance, solid IoT device security must also be at the forefront of planning. This means devices must be hardened against known vulnerabilities, in accordance with industry best practices, and should be deploying via a layered approach which requires would-be intruders to account for and circumvent multiple network obstacles designed to protect the device and its data from unauthorized access and use.
As previously mentioned, IoT devices generate a staggering amount of data. To protect this data, we as technology leaders must ensure strong security operations policies are in place, which should be complemented by comprehensive, recurring training programs for all end users and individuals with access to the computing network. Granular audit trails, endpoint anomaly detection, and a responsive forensic security capability are also critical elements to ensure that any breach is detected, and effective and timely remedial steps are taken before contagion spreads.
Lastly, to complement device security and data protection, organizations must also ensure that the networks they rely on for IoT communications are secure. This includes the use of robust user authentication and access control mechanisms to make sure only authorized users are permitted access to networks and data.
These are not guarantees that a breach will not occur, but it does reduce the overall level of exposure we face. With the convergence of all these considerations, and with our continued evolution as technology leaders, we will be positioned to effectively meet the complexity of an IoT powered world, head on.