IoT technology , Merging the boundaries of the physical and digital worlds .

In recent years , Smart home 、 Smart city 、 Industrial Internet 、 Smart medicine and other fields are developing rapidly .IoT Technology is based on connectivity 、 Data as the core , Improving the quality of public life 、 Increase the production efficiency of enterprises 、 In the scene of optimizing the government's public management, breakthrough value creation has been realized , Gradually becoming an indispensable infrastructure in the new era .

But technology and security are always one and two sides . The application of any new technology , Will inevitably bring new security risks and challenges .IoT Technology is no exception , The security risk brought by it also presents new characteristics ：

• IoT It's less difficult to attack ： Attackers can get more attack entrances and objects from distributed IOT terminals .
• IoT The cost of defense is higher ： Internet of things terminal is limited by its power consumption and computing power , It is often difficult to apply existing defense technologies directly .
• IoT Attacks are more dangerous ： The fusion of physics and digital , So that malicious attackers can really bring greater damage to the physical world .

For enterprise security managers , In business, embrace IoT An era of technological change , How to make its security capabilities quickly match new business scenarios , Continue effective safety control level , Is becoming its core goal and focus .

Tencent security expert consulting center , combination IoT Relevant standards and standards at home and abroad IoT Best practices , How to build IoT Safety capability system , Release the overall competency list and guidance framework , Draw as universal IoT Safety capability map , It aims to help enterprises transform and upgrade their security capabilities in the era of Internet of things .

Pay attention to Tencent security （ official account ：TXAQ2019）

reply 【IoT Safety capability map 】 Get the original

tencent IoT The safety capability map proposes six capabilities ：IoT Security governance capability 、 Trust chain building capabilities 、 Value chain protection capability 、IoT System “ Tube end ” Security control capability 、IoT System lifecycle management capabilities 、IoT System security operation capability .

• IoT Security governance capability , It's high-level risk management capability and organization 、 Process guarantee mechanism , In order to establish a right to IoT Effective risk analysis 、 evaluation 、 Disposal and monitoring capabilities .
• through “ At the end of the cloud tube ” Trust chain construction ability and value chain protection ability throughout the data life cycle , The main emphasis is on the overall perspective , stay IoT Between the capability components of the system and the participants , Establish a trusted network and business connection , And based on its core business value protection , Yes IoT The system collects and processes data to establish a complete life cycle management and control capability , The construction of these two capabilities needs to be fully connected IT and OT The boundary of technology , Comprehensive consideration from the perspective of corporate governance .
• IoT System “ Tube end ” Security control capability , focusing IoT Technology is different from tradition IT The characteristics of Technology , For which “ Tube end ” The characteristics of business scenarios give specific requirements for control capability .
• IoT System life cycle management capability and IoT System security operation capability , Positioning on IoT Security governance requirements and the above three capabilities are in IoT Effective implementation in system construction 、 And continuous monitoring and disposal in the operation process .

One 、IoT Security governance capability

The core of any information security governance capability , Both are effective identification and continuous management and control of risks ,IoT Security is no exception . The focus of the ability building is to establish the enterprise level target IoT Risk management and control system , And match the organization 、 personnel 、 Process and supervision . The construction of these capabilities , It's independent of specific IoT Systematic , But it's a specific system IoT The essential basic support for safety .

Besides ,IoT Security governance does not need to be independent of IT Security Governance , Its high-level risk management 、 Principles and policies should be unified , But at the normative and process level , We should establish differentiated requirements and integration support mechanism based on the characteristics of each business .

Two 、 through “ At the end of the cloud tube ” The ability to build trust chain

Based on connection IoT System , It often involves clouds 、 tube 、 edge 、 End 、 Complex and flexible business interaction scenarios between people , And the construction of its core competence , In many cases, it needs to be done with other IoT Establish more business and data interaction between systems or third parties . These complex connections and business logic , It's the target of most malicious attackers , Counterfeiting 、 control 、 espionage 、 Tampering and so on .

therefore , Through effective identity governance 、 Trusted computing 、 Authentication and AI The construction of behavior analysis ability runs through “ At the end of the cloud tube ” Trust chain , It's bound to be IoT The core competence of security , Only make sure you can be trusted IoT The various capability components and services of the system , Only the complex business built on it can obtain the basic security guarantee .

3、 ... and 、 Value chain protection capabilities throughout the data lifecycle

IoT The core value creation of the system , Highly dependent on information and data acquisition over digital connections 、 transmission 、 Analysis and disposal , And this is another object that is closely watched by malicious attackers . Protection of core business values , Data asset sorting and data flow analysis based on business scenarios are indispensable . Only when the object of protection is clearly identified , And security and compliance risks identified based on data flow analysis , Only in this way can the data and the services it carries be effectively guaranteed .

The value chain protection capability revolves around the data life cycle , And focus on CII and PII Data compliance , from IoT System design stage , Security and compliance requirements should be integrated into the business and scenarios , Instead of relying on the added data security products to provide corresponding protection .

Four 、IoT System “ Tube end ” Security control capability

IoT System “ Tube end ” Security control capability focuses on IoT The system is different from the traditional IT Characteristics of the system , For the end side and pipe side components scattered in uncontrollable space , Put forward specific ability requirements . Different from the first two global capabilities ,IoT System “ Tube end ” Security control capabilities are often embedded in IoT In the product solution of terminal or network service provider .

For business managers , More importantly, the ability is based on reality IoT Security risks in business scenarios , According to this atlas, it is suggested to evaluate the completeness of the manufacturer's scheme . In the medium and long term ,IoT In the construction of safety capability system , It can be set up by supervision and evaluation institutions IoT System “ Tube end ” Evaluation and endorsement of safety control ability , In order to reduce the investment of enterprise safety managers in the evaluation of specific technical details .

5、 ... and 、IoT System lifecycle management capabilities

IoT System lifecycle management capability is a process capability , It emphasizes that security managers should be in IoT The system design 、 Building 、 In the whole life cycle of use and waste , Establish continuous security risk identification 、 Tracking and disposal capabilities .

Especially in the stage of system design and construction , Fully built in safety control measures IoT In the logic of the system itself , Instead of relying too much on additional security products . Besides , Most of the IoT Long and complex upstream and downstream ecosystems and supply chains , Then it puts forward more strict requirements for supply chain security management capability .

6、 ... and 、IoT System security operation capability

Similar to governance ,IoT System security operation capability is also not subordinate to a specific IoT System , And the same advice and IT Synchronous operation capacity building , It is the basic support for the effective and continuous operation of other security capabilities mentioned above , The importance cannot be ignored .

IoT System security operation ability , In addition to basic safety operation monitoring 、 Beyond threat and vulnerability management , A very important feature is , Special attention should be paid to the ability to isolate and protect the core business , Avoid information security incidents extending to major personal 、 Production and national security incidents .

publisher ： Tencent security expert consulting center —— LV Yiping 、 Chen Haoming 、 Cao Jing 、 Tian Li 、 Zhang Kang 、 Zhu Xinxin 、 Dong Linnan

Tencent security IoT Security salon experts —— Ke Haoren 、 Lin Zhiyong 、 Su Hongjiang 、 Li Jin 、 Tan Yi 、 Wu Peng 、 Qiao Guanlin 、 Sun Xuelai 、 Zhou Zhijian 、 Zhang Jinchi 、 Luo Kefeng 、 Yang Xiangjun 、 Chen Kai 、 Fu Pengjun 、 Sun Qiang 、 Li Feng 、 Sun Xiaoqi 、 Chen Xianping 、 Zhang Fuchuan 、 Pang Jianrong （ In no particular order ）

Welcome to join Tencent IoT Technology discussion group , Discuss together IoT Capabilities and technical practices .

Scan QR code into group

Or add a little assistant wechat 【 tencent_security】

send out 【IoT Security 】 Into the group of