Why is Shadow IoT the next big threat to IoT?
For those who are unfamiliar with the term Shadow IoT, I started using it a few years ago to point out one of the forgotten challenges of IoT. (even registered the .com domain).
First of all, what is Shadow IoT?
It is clearly derived from shadow IT, which is a term that refers to information technology systems deployed by departments other than the central IT department, to work around the shortcomings of the central information systems.
Shadow IT systems (just like shadow IoT) are an important source of innovation, and shadow systems may become prototypes for future central IT solutions.
On the other hand, shadow IoT solutions increase risks with organizational requirements for control, documentation, security, reliability, etc.
This analogy is usually abundantly clear,
but still a lot of companies haven’t made resources available to tackle the challenge.
Will history repeat itself?
What are we seeing today on the IoT front?
Different solutions are entering the work floor, often driven by the needs for active monitoring, optimization, to support new business models etc..
I want to start with advice in the beginning of the article…
Dare to push the “Pause button” until it is clear how you will manage and support IoT solutions (and who will guide you during this process).
“Who should push the button?” is the same “Who” I’m writing this article for.. (the one that has most to lose is all goes south).
Most organizations instinctively look to the It departments as the “who”,
but do they have the correct technical background to evaluate all the IoT challenges?
IoT is just an “o” away from IT, right?
“Can a digital door lock be hacked with a magnet?”
Finding this out is usually not part of the skillset of an IT manager.
I don’t think that IT is the only one that should come up with an answer, it is a team effort with distributed responsibilities.
However, putting a strategy in place to detect risks and normalize IoT SHOULD fall under the FINAL responsibilities of the IT or innovation manager.
So an IT manager will always be part of the solution and they should be part of enforcing the rules, but they should not do this on an island.
A strategy and vision that transcends the IT department is needed if you want to avoid shadow IoT.
The question remains “why” shadow IoT poses a risk and why it should not be ignored?
Let’s start with some of the short term risks caused by Shadow IoT.
- Security: some technologies allow to connect directly to your network and without the right security protocols, network separation, this can create an entry point for malware.
- Unlike pc’s and servers (that are not physically accessible), IoT devices are often placed in publicly accessible areas. Risking physical hacking.
- Integration – going towards a data driven organization means you need to have access and interact with the data. Not all IoT solutions from 3rd parties are easy to integrate with but also here there could be a security risk.
- GDPR – the solution might need to become part of your GDPR strategy, “3rd party hosted” does not absolve you.
- Legal – certainly for new solutions, the legal implications, contracts might not be in sync with the risks and liabilities.
- IoT evolves quickly, the solution of last week might not be the best one for next month so keeping flexibility is part of a good architecture. (the solution of last week might also not exist any more next week).
I’ll give one example to make you understand this is not a theoretical threat:
for physical hacking ,
I once evaluated a solution with an asset that moved around and that was able to connect to all different WIFI networks of the different branches of the company.
Getting hands on this device allowed to extract all the networks and network access protocols. The device itself was safe and shielded but the solution was not.
Operational challenge caused by Shadow IoT
Here it becomes even more clear.
Without an IoT strategy or policy the management of multiple solutions will become a nightmare..
- 10 different solutions means 10 different integrations, 10 different platforms, 10 different ways to monitor. 10 different solutions to secure.
a simple example, integrations with planning tools, ERP or making data available for maintenance teams (internal or external) might prove impossible or just too costly.
as a side note: It will not be 10 but more likely 50 solutions that will be added over the next years..
How to solve the risk of Shadow IoT?
There is not a single pill that solves this issue.
In my next article (part2), I’ll go over different elements and steps you can take to keep your organization safe and free from shadow IoT.
Enterprise architecture, Business process modeling, Complex Transformation, IoT deployment and management, “IoT” Data integration, should be part of your vision and strategy.
I’ll do this based on the experience with the toolsets of Software AG (Aris, Alfabet, Webmethods & Cumulocity) as they offer some of the easiest and best IoT integration tools in the market but if you use your existing ones, the principles remain the same.
Kris Van der Hoeven