As the IoT ecosystem continues to grow, so does the importance of securing those IoT networks. According to Gartner, spending on IoT security solutions will reach $631 million by 2021. This is a significant leap from $91 million, which was spent in 2016, and this annual global spending statistic shows that IoT solutions are headed for a massive boom within the next decade.
According to Gemalto, another worrying stat, 48% of businesses admit that they cannot detect IoT security breaches on their network. Nearly half of the companies that use IoT can’t identify when their network is compromised. As more businesses invest in IoT technology, we can only hope that this number decreases.
According to Pieter Danhieux, the co-founder and CEO of Secure Code Warrior, an average building will have air conditioning, automated doors, surveillance cameras – many running on IoT systems. In the agriculture business, tractors, measuring devices and rainwater stations also run IoT.
“In homes today, you will find IoT in Christmas lights, door locks, etc. IoT has infiltrated both enterprise and our personal lives, which is a good thing because it allows us to do many, many great things. But it could also be a very scary thing,” he commented.
State of security in IoT devices
Danhieux opined that when manufacturers build IoT devices they don’t think that these things would be exploited. He argued that manufacturers are under pressure to build these devices at the lowest possible cost and deployed them quickly.
“People don’t think about the potential threats we could face with some of these IoT devices, whether it is hardware or IoT software development kits (SDKs). The vulnerability could be in how the IoT communicates from within the network,” he added.
His point was that it's a very complex environment. “I think, and not many people, when they are building those devices are thinking about all the different problems that can go wrong, around IoT security,” he continued.
In the IoT manufacturing space, everything needs to be minimal. This may mean a lack of processing power to do proper cryptography. “Those are the trade-offs that manufacturers make. Some cannot do remote updates, remote patching of firmware vulnerabilities. It is stock firmware that never changes even though it [may have] weaknesses in it,” Danhieux elaborated.
At the personal level, there is increasing awareness and concern about device insecurity. Danhieux believes the same should apply to enterprises. He noted that very often the IoT network is separated from the IP network and managed by a different group.
He warned that IoT can still be used as a launchpad for attacks. He cited the Mirai botnet that exploited vulnerabilities on software development kits of some 83 million IoT devices.
“I do think both from an enterprise, we should ask the right questions to the manufacturers. I think from a personal life perspective, as well, we should make sure that manufacturers of IoT devices, that there is a level of responsibility they take around building secure devices, rather than just building a device and getting it out there,” he opined.
Key considerations for revisiting security for infrastructure
Danhieux recommends scanning and testing networks for vulnerabilities. This includes all devices connected to the network, regardless of age.
The next step in the process is determining whether it makes sense to build layers of defences into the infrastructure. Can device manufacturers update the firmware of these devices? He recalled that some of these devices could be 20 to 30 years old.
He recalled that 20 years ago, enterprises were dealing with web application securities. He now sees those same vulnerabilities appear in IoT devices today. Things like remote command injections and buffer overflows are well-known problems but are now appearing in the IoT world.
Danhieux warned that looking for a security expert that knows IoT may be a problem. It is a very specialist role, and there are very few firms around the world that focus on IoT security, including at the network, data, and software layers.
He acknowledged the skills can be developed in-house.
“Developers can be taught to write securely at the data and software layer. Network security architects and security engineers can be tasked with assessing the network component. You might find somebody that can work with physical devices to assess the physical side,” he continued.
“But to find it all in one person inside an enterprise. I think it's almost impossible. That's probably a security expert. You need to hire for that. You can kind of split them up in the different layers of your organization.”Pieter Danhieux
Ownership of IoT security
Danheiux acknowledged that ownership of IoT security remains a philosophical issue. Internet Protocol (IP) security people normally do not care about the security of buildings.
“However, at the end of the day, if it is a threat to your business, if it can damage your enterprise, if you could damage your reputation, does it matter which C level person in the company takes ownership of it? He queried.
He opined that at the end of the day, it is a business risk. It doesn’t matter which C letter is responsible. Not covering it [security] is the big problem, he concluded.
Click on the PodChat player and hear Danhieux talk about the state of IoT security in Asia.
- Let’s frame our discussion first: where can we find IoT technologies in a typical enterprise in Asia?
- What are prevailing misconceptions about IoT security?
- From your perspective, should leaders be concerned about IoT security?
- Where should senior leadership begin the discussion of IoT security?
- What should be the key considerations for revisiting the security of their IoT infrastructure?
- What about the skills/know-how around IoT security? Do we hire or outsource?
- What preconceived ideas should leaders set aside when discussing IoT security?