‘There is much misalignment between operational and IT systems’

by | Sep 11, 2016

IoT

Digital Creed attended the Gartner Security and Risk Management Summit 2016 in Mumbai, and caught up with Ganesh Ramamoorthy, Research VP, Gartner.

At the summit, Ganesh made presentations on the approaches to securing IoT.

We asked Ganesh for an update on the state of IoT projects in India, and how operational technology is changing the paradigm of trust and security in business. With more devices and things connecting to business and industrial networks, it is crucial for Information Technology to be aligned with Operational Technology. And Ganesh tells us the approach that organizations must follow.

And at the end of this interview, Ganesh indirectly explains why Tesla cars crash in autopilot mode.

Brian Pereira: What kind of IoT projects do you see happening in India? Can you describe some of the bigger ones? To what level has business accepted and implemented IoT and for what kind of applications?

Ganesh Ramamoorthy, Research VP, Gartner

Ganesh Ramamoorthy, Research VP, Gartner

Ganesh Ramamoorthy: We are not seeing any large-scale IoT implementations or projects in India at the moment. There is no such organization-wide project. But at this point of time there are small projects and there are two reasons for this:

Firstly, budgets need to be defined, and there are no benchmarks defined for these IoT projects. So these small projects are a means to help organizations identify what kind of budgets they would need for IoT projects.  The funding for these small projects is coming from the CIO’s pocket or from the business unit that needs this project.

The second reason for small projects is they offer a means of identifying the challenges. When companies implement IoT, they see this angle of mobility coming in, because information is going to be accessed from mobile phones. And then they discover that their platform on the operations side is inadequate to push information to mobiles. There’s no MDM (mobile device management) on the operations side.

So when people start these small projects they realize that there is so much misalignment between the OT (operational technology) and IT systems.

BP: So what should organizations be doing for this alignment?

GR: First, they must do a complete audit of their OT systems. They need to understand their hardware and software infrastructure in their OT.  Are these proprietary systems or commercially available ones? When was the software last updated or patched? That kind of history is not available on the OT side. It may exist, but it is lying with some business unit and inaccessible to the IT side.

Because of this misalignment the actual implementation takes much longer. The alignment must be done together, by the business unit and the IT team.

BP: With the addition of ‘things’ to business networks, the environment is getting more complex. So the definition of trust changes because it is no longer just about people connecting to networks. In this new scenario how does an organization ensure trust and security?

GR: The trust between a person and his personal device is quite implicit. The device would have a fingerprint sensor to authenticate the user. But the critical thing is to authenticate the devices in the IoT environment. They must be authenticated to perform certain functions. That’s where the trust comes in. Once you trust you can authorize.

But the enabling security solutions for this can’t be embedded in the IoT devices, because they are resource constrained (memory, power etc).

However, in future, we will see some form of trusted execution environments. They will store an ID or a key and the exchange of keys between devices will perform the authentication.  Most of the ARM microcontrollers already include these trusted execution environments.

Moving forward we will see these IDs getting stored at the hardware level itself, and not in a separate partition created by these trusted execution zones. All the semi-conductor companies (NXP, ARM, Intel, Freescale etc) are already working on this.

BP: Now we are getting into Operational Technology, so people’s safety is important. What role does industrial safety play in IoT? What kind of safety mechanisms will emerge?

GR: When devices are communicating autonomously, and if it is a mission critical system, then human safety is critical. Imagine if an IoT device decided to open a valve and release a hazardous gas without any warning. So the safety of the people working in that industrial environment becomes important. Secondly, you have to consider the impact on adjacent systems. And it also creates some business risk for the environment.

Although there is legislation behind industrial safety, this is going to be further amplified because of IoT. Traditionally, we’ve had humans interacting with, and controlling industrial systems and machines. But now it is going to be a whole lot of IoT devices and machine-to-machine communication. So in future, systems will become more automated and employ machine learning too.

BP: Recall the recent Tesla car crashes when drivers enabled the autopilot mode. After such incidents our confidence in automation and autopilot wanes. Why should we continue to trust such systems?

GR: Tesla gives you the autopilot feature with a disclaimer that says: ‘Please don’t take your hands off the steering wheel’. Our ability to trust and rely on these systems is directly proportional to the resolution of their sensors. The closeness of monitoring is the resolution of the sensors. So the question is how closely can they monitor? We are already seeing 32-bit analog to digital converters coming in. These advances will improve the resolution of the sensors. Resolution is important for mission-critical systems.

—————————————————————————

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles