With the number of Internet of Things (IoT) endpoints set to grow from 8.4 billion in 2017 to 20.4 billion by 2020, according to Gartner, an attack surface is being created on this scale that has never been seen before.
IoT security attempts to address the protection and threat from a growing numbers of devices and systems in industrial, commercial and consumer environments. Current use of IoT security, however, remains surprisingly small, despite being one of the highest concerns. There’s little real action.
In Gartner's latest Internet of Things Backbone Survey, security was cited as the top barrier to IoT success (35 percent), with privacy concerns (25 percent) and potential risks and liabilities (25 percent) all in the top five.
If security and risk managers don’t address the following five key IoT security challenges, they’ll leave their business open to risk.
1. Lack of scenario or vertical focus
Product and service vendors are paying little attention to project or vertical specific requirements for IoT security. Traditional IT security vendors tend to reshape their existing offerings, while new market entrants choose particular layers of security to address specific verticals or specific requirements.
Develop methods for matching providers to specific IoT security scenarios by taking lessons from OT (operational technology) and physical security.
Recognise when there are unique IoT requirements due to the device, network or scenario. Traditional IT security requirements can be addressed with modification to your existing IT security capabilities, such as the networking or authentication methods used.
2. Vertical security patterns don’t exist yet, but are evolving
While traditional IT security has created a set of common security "patterns" for general-purpose platforms based on the server or variants such as mobile phones and tablets, such patterns for vertical-focused IoT deployments don’t exist.
IoT devices used in most projects aren’t always general-purpose platforms. Some device classes, particularly simple sensor and actuator-based platforms, are “fit-for-purpose.” For example, some possess little minimum data storage and limited memory and processing. Some may function only on cellular or Bluetooth networks.
These fit-for-purpose platforms can and do alter the traditional security patterns of established IT security. This requires an extension or new approach to providing end-to-end IoT security where such devices or systems are involved.
3. Lack of skill sets to support IoT security
While IT security has served all types of industries for decades, at least two distinctive cultures have made use of computing technologies – an information-centric culture that uses primarily IT security; and an engineering culture that uses some IT security and specialised systems that may require OT security for asset-centric industries such as utilities, transportation and manufacturing.
IoT itself is a successor in one sense to OT. This is particularly true in areas of endpoint security where OT utilises sensors and actuators routinely to manage physical state changes in machines and environments. IoT in this environment is called industrial IoT. Skills demands in this area are growing rapidly.
It’s important to gain new in-house IoT security skill sets to support critical assets and environments. You need to modify skills training to adjust to a new reality, leveraging experiences of industrial automation and control organisations in highly decentralised implementations. Mobile and cloud-based security training frameworks can be used as good starting points, as those IT specialities will be used frequently in IoT implementations.
4. Regulatory and market pressures are growing
Regulatory concern regarding the impact of IoT on industrial, commercial and consumer environments is growing. Media reports of compromises of those devices are increasing.
In addition, early indicators in utilities and healthcare are fuelling the debate around security certifications of devices, particularly for consumer and healthcare devices. These services are growing under regulatory and market pressures to address specific vertical needs for IoT security and provide standardisation for different industries.
Use security testing and certification services as starting points for tool and service evaluation in early IoT initiatives. Even if the services aren’t required or used, the structure and approach used can be useful in shaping internal testing or certification process. Also, monitor the evolution of regulations and guidance within your industry to assess possible timeframes.
5. Lack of standards and frameworks
Technical standards and frameworks for IoT security are almost non-existent or are beta editions, as is security testing and certification. As more industry vertical frameworks are published as guidance and regulation, the services will become more structured and standardised. But the industry is still exceeding the slow pace of standardisation.
Be pragmatic in your use of technical standards and frameworks for IoT security at this stage. While there are some available, consider the current vendors' dependence on specific proprietary ecosystems and the notable immaturity of those standards.
Prepare to re-architect as standards change. Identify and review consortia efforts at the framework level within your vertical industry. Choose the technical standards group with working groups specific to your IoT scenario to determine progress and efforts.
About the author
Earl Perkins is a research vice president at Gartner. He advises clients on integrated risk management (including operational risk management), as well as cybersecurity and digital security strategies. Earl will be presenting at Gartner Security & Risk Management Summit in Sydney, 20-21 August 2018.