AT&T Security VP Talks IoT: ‘There’s a Lot Of Nervousness’

Lorna GareyThe business opportunity the Internet of Things represents for the channel won’t reach full potential if customers are scared off by the cost and complexity of security — a few more headlines about attackers hijacking connected cars, and risk-averse business leaders may decide IoT just isn’t ready for prime time.

Part of the answer is helping your technical contacts educate executives. That’s the aim of a new AT&T report, The CEO’s Guide to Securing the Internet of Things, backed up by a survey of more than 500 high-level business and IT decision-makers at companies with at least 1,000 employees.

AT&T's Jason PorterWe asked Jason Porter, vice president of security solutions at AT&T, about a major communications disconnect between technical experts and business leaders revealed in that report, which builds on the CEO-focused Cybersecurity Insights study AT&T released in October.

“The technical experts oftentimes felt like they were just a scapegoat or a figurehead, put there to get blamed when there was a breach, and they weren’t able to get all the attention they wanted – and resources they needed – from senior leadership to be able to drive the fight forward,” says Porter. “And yet, we talked to board members and CEOs who thought cybersecurity was an immensely technical issue. They didn’t know their role, how to get involved.”

That story is a familiar one to infosec pros, but Porter, who was formerly VP of DevOps for AT&T Partner Solutions, says it is possible for partners to help bridge the gap. IoT is an ideal starting point because of the sheer potential upside for businesses – Porter points to projected revenues north of $11 trillion by 2025 – and the scope of the problem. Most survey respondents, 85 percent, are considering, exploring or implementing IoT, but just 14 percent have a formal audit process to even understand how many devices they have and whether these devices are secure.  {ad}

The report offers specific examples, statistics and advice that’s relevant to solution providers looking to communicate better with customers’ line of business leaders — another worthwhile effort given that 68 percent of respondents say their companies plan to invest in IoT security in 2016. Half of those organizations are earmarking at least 25 percent of their security budgets toward IoT, yet many are unsure where to begin.

AT&T recommends a layered approach for securing IoT, giving executives a defined, structured process as well as best practices gleaned from the Industrial Internet as well as network and application security techniques.

“We start with the device layer,” Porter says. “Then securing connectivity, then securing data and applications, and wrapping all of that in a threat envelope that allows you to really see the interactions between all the various aspects of those layers.”

Porter recommends …


… aligning IoT plans with security from the get-go.

“If you deploy IoT in a silo, say in a marketing or operations area, and don’t bring security in upfront, we found a much lower confidence level,” he says, referring to the 90 percent of respondents that are unsure about the efficacy of IoT security measures. Those that are confident have no air between security and IoT teams.

“That physical world meeting the virtual world is where we need to pay attention,” says Porter.

Much of the report is aimed at helping CEOs and business leaders assess risk. An important point is that with IoT, proprietary or customer data may not be the crown jewel.

“Take for example a connected car,” says Porter. “Now we’re covering things that can cause physical harm.”

Regulatory and legal are the final pieces.

“You’re only as secure as your weakest link,” says Porter. That may be a control unit in the cloud, it may be a connected car, it may be a decades-old SCADA system on a manufacturing floor.

AT&T’s advice comprises four steps; there’s much deeper detail in the report.

  1. Assess risk with an eye to IoT. That involves auditing IoT solutions in use among business units. Before you let a customer tell you that they don’t have any, note 10 percent of the AT&T survey respondents cited a “best guess” estimate as their method for tracking the number of IoT devices at their organizations. Nxt, assess the security vulnerabilities of each IoT element, map out worst-case scenarios, determine whether IoT devices and data can be isolated and gauge the value of data associated with particular IoT devices.
  2. Secure both information and connected devices. If a customer has a data-centric security strategy, this is a bit of a change. While hacking a pacemaker or self-driving car is the stuff of movies and test tracks for now, that’s bound to change.
  3. Align IoT strategy and security. IT and business units must be in agreement on the importance of security. Cross-organization, cross-functional collaboration is critical, says AT&T.
  4. Identify legal and regulatory issues. This includes looking at the multiple vendors that are involved in most IoT deployments.

Checks Itself Before It Wrecks Itself

Porter also discussed AT&T’s partnership with Bayshore Networks, which specializes in industrial IoT security. Bayshore brings to the table …


… a content-aware cybersecurity and operational policy platform that can block machine-specific cyberattacks, from both external and internal sources.

“Current security processes have a gap,” says Porter. Consider a robot on a shop floor receiving commands from a remote or cloud-based control unit. Even when the source and destination are sound and validated, what if the command that was inserted tells a robot to discharge its fuel or send an erroneous notification that the ambient temperature shot up to a level at which the factory should shut down?

“That could cost billions of dollars of loss,” says Porter. “That’s obviously a tremendous risk for those industrial firms.”

Bayshore can fill that gap; its platform prevents such disruptions and protects high-value equipment and workers by enforcing operational and safety policies.

“We’re putting them in line between the control unit and the robots,” says Porter. Because the Bayshore application sits in the AT&T network cloud, it can prevent malicious commands from reaching a factory floor without introducing latency.

Porter says he’s met with AT&T’s Alliance Channel and AT&T Partner Exchange; he sees wide agreement that customers want to move to IoT. As for other big opportunities, he cites leveraging software-defined networking for its security benefits.

“There’s a lot of nervousness,” says Porter. For partners equipped to talk IoT and SDN/SD-WAN security, nervousness can spell opportunity.

Follow editor-in-chief @LornaGarey on Twitter.

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 50841