IDC predicts that by 2025, IoT spending in the Asia-Pacific region is predicted to reach US$437 billion. IDC Asia-Pacific adjunct research director, Bill Rojas, cites IoT adoption in industries like transportation, retail, manufacturing, resources, and utilities is driven in part by increased capacity and reliability of fibre and cellular network infrastructure.
"In many phase one projects enterprises focused on a single use case and on acquiring the data streams from single sources but as the organisations gain a deeper data-driven understanding of their operations, they can start to use other data sources (such as geolocation, machine maintenance data, weather, transactions activity, vehicular telemetric traffic data, and so on) to improve their analytics and expand beyond the original use case," he continued.
That’s the good news. The bad news is that any device that is connected to the internet is susceptible to some form of cyberattack. The Mirai Botnet and Stuxnet are two infamous attacks against targets that caused massive disruptions.
Any device that is connected to the internet is susceptible to some form of cyberattack. Apart from the fact that IoT devices inherently have very little built-in security, and that patch management can be difficult because of their physical nature, the interconnectedness of these devices and the subsequent complex environments they are implemented pose grave security threats across entire networks.
Monitoring is a vital part of every security strategy, ensuring that all classic security tools like firewalls, unusual detection systems or privileged access management (PAM)-tools work flawlessly.
Suitable monitoring solutions can ensure physical security by integrating door-locking systems, security cameras, smoke detectors or temperature sensors into central monitoring. And businesses in APAC should be prioritising this in 2023 to reduce their risk of cyber-attacks and data breaches.
In describing the state of IoT security or lack of it, David Montoya, the global head of IoT at Paessler, noted that it is not just the lack of security features in the IoT devices themselves that is the challenge, but where these devices are located.
“When you think about cybersecurity from the IT perspective, everything is central. You might have the perimeter and then you have all the endpoints in the middle. But here (with IoT) we might be talking about having a device, which is sending out information about the flow of water, or temperature or humidity of the soil, for example, in the farming context,” he explained.
“It is important to look at different security problems or challenges because we are not only talking about the security of the information. We are, in several cases, even talking about the security of the device itself.”
David Montoya
“People are creating vulnerabilities out of IoT, and they are willing to get a device, open it up and figure out how to reverse engineer it. They will then try to figure out how it works and then install it again with some malware, which can then make the network vulnerable,” he continued.
Why IoT continues to be vulnerable
Montoya comments that despite more regulations and security practice context within the vendors, it is very costly or inconvenient for them to put extra resources, like computing resources into these tiny little IoT devices in use to be able to deal with patches and updates.
“For companies creating IoT devices, there is not a lot of value in needing to put more resources there,” he surmised.
He argued that device manufacturers are incentivised to create small devices that cost as little as possible. The other issue is the variety of devices and vendors. “Even though there are more regulations, there are still no standard practices put in place as to how the information should be stored,” he commented.
Twin standards to consider
Montoya clarifies that there are two standards they consider when it comes to IoT – security and communication. One is related to a standard for protocols and the way those devices connect to different cloud-based systems monitoring systems. These central consoles ensure all the devices are on and reporting data, etc. In such a heterogeneous environment the lack of standards is creating chaos in the IoT world.
“Every vendor with a specific device for a specific reason created specific ways of communication that led to multiple protocols nowadays,” he continued. “When you have different players, each looking at their market niche, what ends up happening is a lack of communication standards and protocols.”
“This (situation) opens the same vulnerabilities that have happened for operational technology (OT) before now happening for IoT as well. Stronger standards are one way things can get better in terms of how to secure all these kinds of devices.”
David Montoya
Monitoring tools can help improve the security of IoT
According to Montoya, monitoring tools help visualise the data, including receiving alerts about the data. And while IoT vendors may provide tools to monitor their solution, the variety of vendors and the specificity of their use cases, suggest that a user may have a collection of monitoring applications that track a specific kind of device.
And because these may not come from the same vendor, it is likely that these do not use the same standard and may not be able to communicate with each other.
In addition, Montoya believes that users will not likely stay with one vendor for the same use case throughout the entire life of the process. “It is very normal that you have a certain IoT device from a certain vendor today and maybe two, or three years later you need to go for another technology and another vendor,” he explained.
The result is complexity on the part of the user trying to make decisions on the entire system or process. “You will have multiple different visualisation tools with different databases where the data is stored. And whenever you are trying to retrieve the data from multiple sources, you will take more time to know what is going on, how to use the data, how to bring the data into a central location, how to use that central location to provide central visualisation,” elaborated Montoya.
Ideally, you will want a central location from which to manage all these different proprietary technologies, standards and protocols, something Montoya says is what Paessler does.
“We keep up with all these new technologies to provide a single pane of glass. So that multiple vendors for IoT devices can share the information with our visualisation tool and monitoring solution. So that the users can see everything in one place and can handle everything from a single location, we provide a central database, and they can also get centralised alerts,” he explained.
Where do we go from here?
IDC market analyst for Asia-Pacific, Sharad Kotagi, says enterprises no longer think IoT value is only limited to achieving operational efficacy and improved productivity.
“They see IoT as an enabler in the evolution of enterprises' requirements and challenges in an ever-changing business environment. Many organisations are willing to invest in digital technologies such as IoT, and AI to fully leverage the new expansive role of data in emerging digital business models.”
Sharad Kotagi
But in the race to Industry 4.0 and the promise of smarter IoT-enabled enterprises, businesses and operations should not forget that behind the facade of benefits such a transformation promises, lies a myriad of security threats and vulnerabilities that must be addressed not for the lifecycle of the IoT but the use cases it is trying to enable.
Click on the PodChat player and hear Montoya talk about the challenges organisations face as they integrate IoT into their operations, and why monitoring may be the best path forward to securing IoT as the converged future of IT, OT and IoT.
- Paint us a picture of the security landscape where it involves IoT.
- Technologies like IoT, security practices and regulations have evolved, why do IoT continue to be vulnerable?
- Is the lack of standards around IoT protocol a problem for securing IoT?
- Will this wide range of protocols also hinder the effective use of monitoring tools and services?
- As IoT start to connect – be part of the enterprise, how should the CIO, CISO and the COO or head of operations work together to better secure IoT as these connect to the enterprise?
- Your thoughts for 2023?