7 Core Cultural Concepts
Exosite

August 22, 2017

7 Core Cultural Concepts of IoT Security: Social Principles for Safety

When most people think about security, their brain often defaults to the technology considerations. We’ve discussed the technology concepts, but security is also heavily reliant on the social principles. This blog focuses on the equally important, yet often overlooked, aspect of a comprehensive IoT security strategy—the company culture and values that must be in place to support the technology components of IoT security. There are 7 core cultural concepts that you should encourage as you implement your IoT security.

Principles for a Strong IoT Security Culture

These principles owe their inspiration to an industry that has successfully put safety and configuration management at the center of its focus for more than 40 years—nuclear power. The Institute of Nuclear Power Operations nuclear safety culture principles, which have been field tested in real-world conditions, provide a close parallel to the importance of control in industrial IoT applications and helped guide the creation of the seven principles below.

  1. Everyone is personally responsible for IoT security: Workers, users, and coders feel personally responsible for the safety and security of devices connected to a network. Every stakeholder takes the time to evaluate their impact on the security of the system and, those who can, design in safeguards when possible to protect against and minimize the potential impact of attackers.
  2. Leaders demonstrate commitment to IoT security: Leaders within organizations frequently mention security, sometimes as a stand-alone topic. They make time to train users and workers about the importance of security and the potential impacts of being an organization that is connected to an IoT platform. Leaders show, both verbally and by action, that security is a top priority.
  3. Decision-making reflects IoT security first: Security should be central to the delivery of an IoT product. All decisions made in regard to the IoT platform should prioritize security over the delivery of feature requests. When necessary, security should take priority over usability based on the level of risk associated with a data or control breach of the IoT application.
  4. IoT is recognized as special and unique: Companies that work with IoT should understand the seriousness of the devices and systems attached to the network. Identities, permissions, and user management should be treated with the utmost care and scrutiny. State changes of a device attached to an IoT application should be treated with the highest level of security possible.
  5. A questioning attitude is cultivated: Workers should feel empowered to ask questions of any aspect of a system they work with. They should feel encouraged to report any instance of abnormality and get a timely response to concerns. A questioning attitude cultivates a culture in which people are more cognizant of daily activities and, as a result, are more aware of irregularities that may give early indications of a breach.
  6. Organizational learning is embraced: All individuals connected to an IoT platform should understand their potential impact and have a thorough understanding of the components of an IoT system. Organizations should take time to educate and train their workers to better understand the common vectors of attack used by hackers, the role they play in prevention, and the appropriate processes in the event of a breach.
  7. IoT security undergoes constant examination: Improving security technology, spreading secure cultural ideals, and testing security should be a constant effort. A healthy security program consistently seeks opportunities to improve, test systems, and patch often. Workers should be encouraged to provide feedback for improvement and to take proactive security measures to keep ahead of attackers at every opportunity.

To read our full Best Practices to Build a Pragmatic Security Strategy for Industrial IoT, download your own copy. If you’d like to get started on your own IoT solution, feel free to try out an account on Murano, our secure IoT platform.