Due to the rapid evolution of technology, the Internet of Things (IoT) is changing the way business is conducted around the world. This advancement and the power of the IoT have been nothing short of transformational in making data-driven decisions, accelerating efficiencies, and streamlining operations to meet the demands of a competitive global marketplace.
IoT At a Crossroads
IoT, in its most basic terms, is the intersection of the physical and digital world with distinct applications and purposes. It is devices, sensors, and systems of all kinds harnessing the power of interconnectivity through the internet to provide seamless experiences for business.
Up until today, we, as security professionals, have been very good at writing about the numerous and varying IoT applications and uses and have agreed upon the fact that the security of the IoT is important. However, have we really understood the big picture? And that is for IoT to really reach its full potential as a fully interconnected ecosystem, cyber security and the IoT must be synonymous and interdependent to be truly powerful.
So, it would only seem natural that many experts believe that IoT is at a major crossroads. On the right is the singular value the IoT brings amid isolated clusters, and on the left is the potential to unlock its true value as a powerful and far-reaching, fully interconnected IoT ecosystem. The question is, which road will it take? I believe that the answer lies in between trust and IoT functionality with cyber security risk as the core obstacle in the middle standing in the way of a successful integrated whole.
Should this homogeneous partnership occur, it would be a monumental change and breakthrough across industries and key applications such as manufacturing, banking, healthcare, and the logistics and supply chain. But today’s IoT and cyber security ecosystem is fragmented and there will be obstacles to overcome to achieve this transformation.
Adoption of the IoT
IoT continues to expand across almost every industry vertical, but it hasn’t yet scaled as quickly as expected. The goal is one in which devices and their functionality are dispatched to move seamlessly from a physical environment to an identified, trusted, and authenticated one.
The growing maze of connected devices and its complexity in IoT use creates many opportunities for vendors and contractors in the supply chain, but it also creates the risk of catastrophic vulnerabilities and consequences for businesses. This was no more evident than by the massive Solar Winds supply chain breach where often the IoT risk profile is much higher compared with that of enterprise IT, given a cyberattack on the control of the physical operations of the IoT yields a higher profit and more significant gain in the eyes of an attacker.
Therefore, traditional approaches to security in the IoT don’t support a secure and seamless transmission of information, data, or functionality from one point to another. This requires an early-stage integration of cyber security in the actual IoT architecture design and pilot phase.
A recent IoT buyers report outlined that there is little multi-layered security embedded in today’s IoT solution designs. This leads to vulnerabilities that, in turn, require over-the-air updates and patches, which can’t be reliably implemented. In comparison to enterprise IT, solution design in the IoT space lags in security assurance, testing, and verification.
Interoperability is another challenge solution providers must overcome alongside cyber security integration during the early stages of IoT implementation. Therefore, it should not come as a surprise that we as solution providers, have drastically underestimated the importance of IoT trust and cyber security with a mentality of “build it first and cyber security will follow.” But this is exactly what is impeding the acceleration of IoT adoption with many industries still in doubt not over the value and worth of IoT, but the cost of implementing an IoT system that is not truly trustworthy or secure.
Learn more about IoT Penetration testing.
From Siloes to Collective Decision-Making
So, where does this leave us? This IoT conundrum reminds me of a time when security operations (SecOps) and applications developers (DevOps) also worked independently from one another in siloes. These two teams were not trying to solve security problems collectively nor share the information and decision-making necessary to make the software development life cycle (SDLC) an integral consideration in security decision-making. Rather, it was an afterthought that was often disregarded.
To address cybersecurity concerns, a unified decision-making structure was created between the applications development and design teams and cyber security operations to assume a required mindset to influence security for enterprise applications. These teams now work together to embrace security decisions alongside application development and design. IoT and cyber security teams must also make this collaborative leap to garner the same long-term advantage and reward.
It is estimated by some reports that by 2030, the IoT supplier’s market is expected to reach approximately $500 billion. In a scenario in which cyber security is completely managed, some reports indicated executives would increase spending on the IoT by an average of 20 to 40 percent. Moreover, an additional five to ten percentage points of value for IoT suppliers could be unlocked from new and emerging use cases. This implies that the combined total addressable market (TAM) value across industries for IoT suppliers could reach in the range of $625 billion to $750 billion.
Addressing Critical Factors to IoT Market Adoption
IoT adoption has accelerated in recent years, shifting from millions of siloed IoT clusters made up of a collection of interacting, smart devices to a fully interconnected IoT environment. This shift is happening within industry verticals and across industry boundaries. By 2025, the IoT suppliers’ market is expected to reach $300 billion, with 8 percent CAGR from 2020 to 2025 and 11 percent CAGR from 2025 to 2030
The future adoption of the IoT relies upon the secure and safe exchange of information within a trusting and autonomous environment whereby interconnective devices communicate through unrelated operating systems, networks, and platforms that enable designers and engineers to create powerful IoT solutions while security operations ensure a secure seamless end-user experience.
This will help to address critical factors such as:
- Security Concerns: Security is a significant issue in IoT, as many interconnected devices create more potential entry points for hackers. Concerns about data breaches, privacy and confidentiality of data, and the potential for cyberattacks are significant barriers to be addressed.
- Privacy Concerns: IoT devices often collect and transmit vast amounts of personal data. Concerns about the privacy of this data, as well as how it is used and who has access to it, can inhibit adoption. Data protection regulations like GDPR in the European Union and various privacy laws globally also play a role in shaping IoT adoption.
- Interoperability: IoT devices come from various manufacturers and may use different communication protocols and standards. Achieving interoperability between these devices is a challenge, making it difficult for organizations to build comprehensive, cross-compatible IoT systems that are secure.
- Lack of Standards: The absence of universally accepted standards in the IoT industry can hinder compatibility and create confusion for businesses and their supply chain partners. Efforts to establish common IoT standards across the IoT value chain would bolster its adoption.
- Data Management: IoT generates massive amounts of data, which can be overwhelming for organizations. Managing, storing, and analyzing this data can be a challenge, and many organizations may lack the necessary infrastructure and security expertise necessary to maintain this data and keep it safe from potential security threats.
- Regulatory Hurdles: Regulatory environments can vary significantly from one region or country to another, making it challenging for companies to navigate and comply with the various laws and regulations related to IoT. Ensuring that the safe transmission and exchange of data between IoT devices comply with these regulations will be just important as the security infrastructure required to do so.
The Role of Cyber Security
In a recent survey across all industries, cyber security deficiencies were cited as a major impediment to IoT adoption, along with cyber security risk as their top concern. Of these respondents, 40 percent indicated that they would increase their IoT budget and deployment by 25 percent, or more cyber security concerns were resolved.
In addition, specific cyber security risks that each industry is addressing will vary by use case. For example, cyber security in a healthcare setting may entail virtual care and remote patient monitoring, whereby prioritization of data confidentiality and availability becomes a priority. With banking and the rise of APIs to accommodate increasing demands for more financial services, privacy and confidentiality have become a priority due to the storage of personal identifiable information (PII) and contactless payments that depend heavily on data integrity.
In 2021, more than 10 percent of annual growth in the number of interconnected IoT devices led to higher vulnerability from cyberattacks, data breaches, and mistrust. By now, we as security professionals understand that the frequency and severity of IoT-related cyberattacks will increase, and without effective IoT cybersecurity programs, many organizations will be lost in a localized production world where risk is amplified and deployment is stalled.
As pointed out, IoT cyber security solution providers have tended to treat cyber security separately from IoT design and development, waiting until deployment to assess security risk. We have offered add-on solutions rather than these solutions being a core, integral part of the IoT design process.
One way in which to make a change to this approach it to embed all five functionalities defined by the National Institute of Standards and Technology:
- Identification of Risks – Develop pan organizational understanding to manage cyber security risks to systems, assets, data, and capabilities.
- Protection Against Attacks – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detection of Breaches – Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
- Response to Attacks – Develop and implement the appropriate activities to act upon regarding a detected cyber security incident.
- Recovery from Attacks – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident.
To make cyber security a pivotal part of IoT design and development, we can consider the following mitigating actions:
Penetration Testing: To identify potential security gaps along the entire IoT value chain, penetration testing can be conducted earlier during the design stage and again later in the design process. As a result, security will be sufficiently embedded to mitigate weaknesses in the production stage. Patches in the software design will have been identified and fixed, allowing the device to comply with the most recent security regulations and certifications.
Automated Testing and Human-delivered Testing: Aspirations of IoT-specific certification and standards embedding security into IoT design practices may one day lead people to trust IoT devices and authorize machines to operate more autonomously. Given the different regulatory requirements across industrial verticals, IoT cyber security will likely need a combination of traditional and human-delivered tooling, as well as security-centric product design.
Attack Surface Management (ASM): ASM approaches IoT based on identifying actual cyber risk by finding exposed IOT assets and associated vulnerabilities. This IoT asset discovery process allows for the inventory and prioritization of those assets that are at the highest risk of exposure and mitigates the weaknesses associated with those assets before an incident occurs.
Holistic CIA Approach: Cyber security for enterprises has traditionally focused on confidentiality and integrity, while operational technology (OT) has focused on availability. Since cyber security risk for the IoT spans digital security to physical security, a more holistic approach should be considered to address the entire confidentiality, integrity, and availability (CIA) framework. The cyber risk framework for IoT should consist of six key outcomes to enable a secure IoT environment: data privacy and access under confidentiality, reliability and compliance under integrity, and uptime and resilience under availability.
What Is Next?
There is a strong realization that IoT and cyber security must come together to drive security measures and testing earlier in IoT design, development, and deployment phases. More integrated cyber security solutions across the tech stack are already providing IoT vulnerability identification, IoT asset cyber risk exposure and management, and analytic platforms to provide the contextual data needed to better prioritize and remediate security weaknesses. However, not enough security solution providers are building holistic solutions for both cyber security and the IoT due to its complexity, different verticals, systems, standards and regulations, and use cases.
There is no doubt that further convergence and innovation are required to meet IoT cyber security challenges and to address the pain points among security and IoT teams, as well as internal stakeholders who lack consensus on how to balance performance with security.
To unlock the value as an interconnected environment, cyber security is the bridge in which to integrate trust, security, and functionality and accelerate the adoption of the IoT. Siloed decision-making for the IoT and cyber security must converge, and implementation of industry-specific architectural security solutions at the design stage should become standard practice. By working together to merge the pieces of the fragmented IoT model, we can put cyber risk at the forefront of the IoT to generate a powerful, more secure, and effective interconnected world.
BreachLock is a global leader in PTaaS and penetration testing services as well as Attack Surface Management (ASM). BreachLock offers automated, AI-powered, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack tactics, techniques, and procedures (TTPs), security controls, and processes to deliver enhanced predictability, consistency, and accurate results in real-time, every time.
Note: This article was expertly written by Ann Chesbrough, Vice President of Product Marketing at BreachLock, Inc.