Almost four years ago, I wrote two posts in my IoT blog — “Are you prepared to answer the M2M/IoT security questions of your customers?” and “There is no consensus on how best to implement security in IoT” — explaining the importance that security has to fulfill the promise of the internet of things.
I have been sharing my opinion about the key role of security in IoT with other international experts in articles including “What is the danger of taking M2M communications to the internet of things?” and at events including Cycon and the IoT Global Innovation Forum 2016.
Security has always been a tradeoff between cost and benefit; the opportunities generated by IoT far outweigh the risks.
But who cares about security in IoT?
A decade of breaches and the biggest attack target yet is looming
We all know the negative impact that news about cyberattacks has on society and enterprises. In less than a decade and according to ICS- CERT, incidents have increased from 39 in 2010 to 295 incidents in 2015.
In a survey published by AT&T, the company logged a 458% increase in vulnerability scans of IoT devices in the last two years.
It is a temptation for hackers to test their skills on connected objects, whether they are connected cars or smart homes appliances. But I’m afraid they will go far beyond attacking smart factories or smart transportation infrastructure or smart grids. With millions of unprotected devices out there, the multitude of IoT networks, IoT platforms and developers with lack of security, I believe the biggest attack target yet is looming.
With the internet of things, we should be prepared for new attacks and we must design new essential defenses.
The OWASP Internet of Things Project is designed to help manufacturers, developers and consumers better understand the issues associated with security in IoT, and to enable users in any context to make better security decisions when building, deploying or assessing IoT technologies.
Who owns the problem?
With IoT, we are creating a very complicated supply chain with lots of stakeholders, so it’s not always clear who “owns” the problem.
Manufacturers can’t divest themselves of responsibility simply because the home owner bought several component parts from different retailers. As a manufacturer, you have a responsibility to ensure that your product is secure and reliable when used in any possible scenario and use case, which means that manufacturers need to work together to ensure interoperability — we all own the problem!
This might come as a shock to some companies or industries, but at some level even competitors have to work together to agree and implement architectures and connectivity that is secure and reliable. Standardization is a good example of this. If you look at the companies actively working together in ISO, ETSI, Bluetooth SIG and so on, they are often fierce competitors, but they all recognize the need to work together to define common, secure and reliable platforms around which they can build interoperable products.
If cybersecurity is already top of mind for many organizations, why the lack of security in IoT?
According to the AT&T State of IoT Security 2015 survey, 85% of global organizations are considering exploring or implementing an IoT strategy, but the bad news is that only 10% are fully confident that their connected devices are secure.
It scares me that only 10% of developers believe that most IoT devices on the market right now have the necessary security in place.
In a publication from Ernst & Young titled “Cybersecurity and the IoT,” the company defines three stages to classify the current status of organizations in the implementation of IoT security:
- Stage 1: Activate — Organizations need to have a solid foundation of cybersecurity.
- Stage 2: Adapt — Organizations must adapt to keep pace and match the changing business requirements and dynamics, otherwise they will become less and less effective over time.
- Stage 3: Anticipate — Organizations need to develop tactics to detect and detract potential cyberattacks.
What enterprises need to do
If you are thinking only about the benefits of IoT without considering security as a key component in your strategy, you will probably regret it very soon. Here are some recommendations to consider before you start your IoT journey; or if you are already started, I hope it is not too late for wise advice:
- Adopt a comprehensive framework and strategy for IoT with end-to-end security and prioritize security as a key IoT technology element.
- Conduct a full audit and assess likely risks within IoT initiatives. Prioritize the opportunities and risks of deploying IoT.
- Bake security into devices and processes early. Include embedded device testing, firmware, protocols, cloud and application security assessments.
- Mobilize the larger workforce around IoT security.
- Bring partners up to rigorous security standards. Evaluate third-party partners with expertise.
- Rethink the roles of IT and OT.
With the proliferation and variety of IoT devices, IoT networks, IoT platforms, clouds and applications, we will see new vulnerabilities and a variety of new attacks over the next few years. The progress in security technologies and processes that prevent these attacks will be key for the adoption of IoT by both enterprises and consumers.
In the future IoT world, an end-to-end security approach is critical to protect physical and digital assets. The ecosystems of this fragmented market must understand the need of security by design and avoid the temptation to reduce costs at the expense of security.
Do not stop asking for security when you buy a connected product or use an IoT service; the temptation of time to market, competitive prices and lack of resources must not be an excuse to offer secure IoT solutions to enterprises, consumers and citizens.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.