Distributed IoT systems can be managed and operated in a variety of ways – some methods lead to flawless operation, and some lead to quite the opposite. But when having an operational IoT system is critical – for life safety, data protection, business impact of a failure, or other unacceptable outcomes – then it becomes important to know that the system is in fact operating exactly as it should. This is the domain of compliance.
There are a growing number of compliance and audit requirements for operators of IoT systems. Many stem from the awareness that IoT systems are a primary attack surface for cyber criminals, and by mandating controls and data gathering about system operation it becomes easier to detect and thwart cyber attacks. As an example, the PCI (Payment Card Industry) standard has increased focus on physical security IoT systems as a way credit card data can be stolen, leading to 37 specific controls over them.
By ensuring that every enterprise IoT device is visible, operational, and secured the Viakoo Action Platform can make proving compliance automated, efficient, and highly cost effective.
Wide Range of Compliance Requirements
Compliance and audit standards take many forms, and most companies are subject to several of them. Industry-specific standards, such as the North American Electric Reliability Corporation (NERC) CIP-014 standard, typically form the most detailed and specific audit requirements because there is a deeper knowledge of the overall environment.
The upcoming TIA 942 Edge Data Center standards are another example of this, where automated methods of gathering performance metrics, providing firmware updates, and managing certificates are required because edge data centers are assumed to be unmanned yet carrying sensitive information. Layered on top of industry-specific compliance standards are application-driven standards; PCI is a good example because use of credit cards spans many industries. Internal standards, such as those required for corporate governance, also are required in many industries. Taken together, IoT compliance and audit can be a never-ending chore without automation.
Automating Audit Data Gathering
With some compliance standards auditors can appear on your doorstep unannounced; will you have the data they need and how much effort will it take to get it? IoT applications and devices require new approaches to ensuring the data is available to you. IT monitoring tools aren't compatible with IoT messaging protocols, and device-level "self-test" capabilities don't generate the right kind of data for system and application performance. Before the Viakoo Action Platform this data gathering would be manual and take days or weeks; by leveraging Digital Twin technology data is gathered at multiple levels (device, application, network, location) and can be easily reported on.
Preventing Configuration Drift
A critical issue with judging compliance of distributed IoT systems is when the system is assessed. If it is assessed only at installation, what is to say it remains in compliance. In the IT community an often-used concept is “configuration drift”. Here’s the TechTarget definition:
With IoT systems there are many opportunities for configuration drift. To start, it is not one system; it’s a set of devices and systems coordinated together to make the application (e.g. recording video or granting access) function as it should. Motherboard temperature fluctuations, POE switch overloading, memory corruption, bad sectors in storage, and a host of other device-level issues can impact the security application’s ability to run successfully on that infrastructure. The Viakoo Action Platform continuously analyzes your IoT system so that you know when parts of your system start to drift.
Creating a Historical Record of Operations
A major benefit of compliance reporting is the ability to assess IoT performance over time. Not only is that data useful for benchmarking, it can also be used to perform lifecycle management and in deciding where to allocate resources. With traditional IT systems there is often a built-in assumption of the useful product life and when replacements will be needed. Distributed IoT is different, with devices placed in service without a record of when it happened and without an assumed end-of-life date. Likewise, when an IoT system falls out of compliance the historical record can help guide the type of fix needed and minimize “rip-and-replace” scenarios. This makes monitoring historical trends that much more important for distributed IoT systems.
Improving Communications and Transparency
Many compliance and audit standards include reporting requirements, either by delivering data to an auditor or by communicating that data on a regular basis. The ideal mechanism for reporting is one that is automated and delivers the data in a format usable by the auditor. Having a consistent method of gathering and distributing information helps in meeting required reporting obligations (for example, Clery Act reporting for higher education organizations), and also in building confidence in the data itself.
Always Be Compliant
Compliance is not a one-time event. At the heart of most compliance and audit requirements is the safety and security of the organization, and to help the organization be resilient to failures or out-of-bound performance. Knowing as quickly as possible when a critical IoT system falls out of compliance can both prevent a catastrophe and lead to less expensive remediation. Waiting for an auditor to find an issue can be expensive; with a PCI audit failure the typical cost to remediate is over $200,000. Viakoo Action Platform has built-in alerting mechanisms to ensure your team knows immediately if there is a compliance issue (and can generate fix-it recommendations to minimize time your system is out of compliance.
Distributed IoT Devices Can Rapidly Spread Cyberattacks
Because distributed IoT devices are used in coordination with other IoT devices there are readily available communication paths between them optimized for quickly spreading cyber vulnerabilities. The nature of these attack surface vulnerabilities involves class breaks, where the compromise of a single device enables access to an entire group of devices. This also allows simultaneous access to a large set of devices all at once, usually because there is no warning or alert about the initial compromise, but also because there is not enough time after the first compromise for the rest of the devices to have their passwords or firmware changed manually.