The cybersecurity landscape is in a constant state of flux. One that has advanced rapidly as cyberattackers and defenders engage in a digital arms race. Historically, cybersecurity threats were limited to computer viruses; the motivations behind them ranging from geeks in the attic writing them simply because they could, to more malicious motivations focused on trying to take over other people’s PCs for monetary gain.
Today, however, the threat landscape is far more sinister, with highly targeted and socially engineered malware and phishing scams designed to trick, steal, ransom or simply destroy user data. What’s more, it’s all backed by increasingly tech savvy organizations, from nation-state actors to highly organized crime syndicates, offering out-of-the-box, turn-key attack packages, supported by 24/7 customer service, enabling even the hardiest of luddites to launch a cyberattack.
As if this wasn’t enough, the internet of things has greatly amplified the complexity of the cybersecurity threat landscape. One that has businesses around the world in a spin as they reevaluate the necessary people and service skills, structures and approaches to security, in an effort to shore up their defenses.
However, despite this apparent awareness around the potential risks IoT represents if not secured, the desire to innovate and compete seems to override much of this concern, with many business moving to adopt IoT technologies, regardless of the risks.
In fact, a recent AT&T Cybersecurity Insights Report, which surveyed more than 5,000 enterprises around the world, found that although 85% of enterprises are in the process of or intend to deploy IoT devices; only 10% of those surveyed felt confident that they could secure those devices against hackers.
The IoT security ecosystem
As with any industry, no single vendor can be solely responsible for IoT security. There are far too many technologies built to different standards and specifications by multiple vendors, making it impractical for one company to provide a holistic security solution alone.
This always-on, anywhere connected environment in which we live is no different. We rely on multiple technologies and services from multiple vendors that have access to some of the most personal aspects of people’s lives — from finance to healthcare information.
So how can businesses secure IoT?
Years past saw these vendors working in isolation, zealously protecting their IP in an effort to stay competitive. However, as it soon became clear how exposed this approach was leaving them and their end users to potential security threats, they understood that a more collaborative approach was required if they were going to secure IoT across the value chain, while safeguarding their technology, end users and brand reputations.
In short, they understood that delivering secure IoT services takes a village, and they need to work in closer cooperation with the other players in the security ecosystem. To do this, they had to break down traditional working barriers and silos, and move instead to a relationship of closer cooperation — enabling them to make connected experiences happen not just seamlessly, but securely.
This “village” took the form an ecosystem of interdependent players — ranging from device manufacturers to network service providers — all working together to proactively collaborate on their security developments, baking it in and aligning it at the foundational level to deliver a robust end-to-end IoT security capability.
This IoT security ecosystem typically includes:
- Device manufacturers — They produce hardware equipped with communications modules, sensors and software for a specific purpose, which can be embedded into the “things” to be connected (e.g., cars, home objects, industrial robots, vending machines, point-of-sale terminals, municipal sprinkler systems, even livestock). Internet connectivity enables the transfer of data to and from the device, bringing the IoT services to life. Security at the device layer is mission critical as it impacts so many other parts of the overall solution.
- Application developers — In-house or third-party partners providing software for a device, through which IoT services are delivered.
- Enterprises — The organization deploying connected devices needs security protocols to protect not only the data transmitted to and from devices, but also to safeguard their IT infrastructure interacting with and managing the devices.
- Network providers — There are many ways to connect devices — Wi-Fi, Bluetooth, satellite, mobile (cellular), low-power wide-area networks (LPWAN), etc. Protocols and safeguard procedures, whether encryption standards, firewalls or SSL VPN, depend on the type of connectivity being used.
- Cloud providers — There are a range of IoT software platforms used in IoT deployments. There are those that collect and process data from an enterprise’s deployed connected devices, and those that remotely monitor and manage the connectivity of deployed devices. Depending on the platforms and their intended use, providers need to implement stringent security controls to protect both the data and the enterprise customer.
- Security companies — Device software, cloud platforms and enterprise IT may also benefit from a protective layer with industry-leading security software from companies like Kaspersky or Symantec. While these solutions are effective in local environments, they’re only a small part of the overall security ecosystem required for running an IoT business.
- Standards bodies — Numerous national and international councils help drive recommendations and requirements for security protocols related to each layer. A well-known example in the payments space is the PCI Security Standards Council (for point-of-sale devices), which monitors threats and advocates standards to help businesses protect sensitive payment card data.
It’s only by having a joined-up approach to security across the entire IoT technology and value chain that IoT can truly be secured.
Remove just one of these players from the ecosystem and the potential risks are enormous. One weak link potentially exposes players across the entire chain. It is only by taking a “united we stand, divided we fall” approach to IoT security that will help ensure a robust IoT security policy succeed.
Mastering IoT security strategy
While the promise of IoT is astronomical, enabling every company to become a connected service business, companies need to make sure they can walk before they start to run in the IoT world. Today’s increasingly competitive market means that now more than ever companies will look at ways to increase margins, drive down costs and create new, previously untapped revenue streams to help them make their quarterly numbers.
To this end IoT represents the current golden goose of the IT world, and indeed it should as the earning potential it has to offer businesses is unparalleled. However, for others who do not proceed with the caution required, it represents the siren’s call, mesmerizing unsuspecting businesses and luring them into perilous waters.
But all is not lost, and for those businesses that are serious about adopting a successful and secure IoT strategy, there is an IoT security checklist from Cisco Jasper that businesses can follow to help set them up for success when it comes to implementing an IoT strategy.
The IoT security checklist:
- Evaluate the end-to-end identification and authentication of all entities involved in the IoT service (i.e., gateways, endpoint devices, home network, roaming networks, service platforms)
- Ensure all user data shared between the endpoint device and back-end servers is encrypted
- All “personal” and regulated data should be stored and used according to local privacy and data protection legislation
- Utilize an IoT connectivity management platform and establish rules-based security policies so immediate action can be taken if anomalous behavior is detected from connected devices
- Take a holistic approach that takes into account digital (firewalls, VPNs, encryption, two-factor authentication, etc.) as well as non-digital measures that reflect organization attributes like roles-based access, and audit trails.
For true end-to-end IoT security to take effect, all players in the ecosystem need to step up and take responsibility for their piece of the IoT pie. Only by ensuring they have a solid IoT security strategy and checklist in place can businesses set themselves up for success when it comes to deploying IoT initiatives.
But as enticing and innovative an opportunity as IoT represents to businesses, if not treated with the respect it warrants it could prove costly. The security threats posed by IoT today are very real and present issues that if left unresolved will dent the industry’s confidence. This could hold the value of IoT back from achieving its full potential.
Only by understanding and accepting that security concerns affect every player and every layer of the IoT ecosystem can IoT truly be an effective, innovative and secure revenue generating force that businesses need it to be.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.