After years of anticipation, the Internet of Things (IoT) is set to break into the mainstream, with 25% of businesses now using IoT technology, compared to just 13% in 2014. And as IoT underpins an increasing host of new technologies, such as driverless cars and smart devices, its use will only continue to expand.
With this growth, however, comes a crucial concern: security. A number of high-profile cyber attacks have demonstrated the vulnerability of IoT. Certainly, this issue has forced companies to consider what they should be doing to mitigate the risk – but it also raises a much bigger question: is it possible to balance seamless user experience with strong security? At ITRS, we believe it is feasible, but it takes a comprehensive security strategy.
The rise of IoT and cyber security challenges
Building on a steady rate of adoption throughout its early years, IoT is now an established class of mainstream technology. This is set to accelerate further, with the number of IoT-connected devices predicted to increase to 43 billion by 2023 – an almost threefold increase from 2018. This acceleration is driven by a host of factors such global consumer trends and demand for inter-connected devices as well as the proliferation of 5G, evolution of edge computing and the adoption of Industry 4.0.
IoT devices are brilliant in what they are designed and built for; however, typically due to their limited computing resources, they do not have adequate built-in security features. As a result, some network-connected IoT systems can potentially be a convenient target for threat actors. The consequences of a security breach in an IoT device are not limited to the targeted device, however. A compromised internet-connected IoT system might provide hackers with full access to the rest of the network and, for example, set the stage for a ransomware attack.
A sector under siege: how the utilities industry can win the war against ransomware
Will security problems hold IoT back?
In order to put the scale of these evolving security challenges in context, let’s consider a ‘real life’ use case. The combination of 5G and IoT will form the foundation of the infrastructure on which self-driving cars and autonomous vehicles will operate. 5G will provide the expansive, ultra-reliable low latency networks which facilitate the communication, control and monitoring of the self-driving cars. Meanwhile, IoT devices, among other cyber physical systems (CPS), will provide the vast array of sensors, from actuators to smart vision equipment, inside the vehicles, as well as those in the outside environment as part of the underlying infrastructure. As this example demonstrates, security attacks on such critical infrastructure could potentially lead to catastrophes involving injuries and loss of life for the passengers of the driverless vehicles as well as hapless passersby.
Further complicating the landscape, there is no one underlying cause for these security problems. Rather, they’re driven by a combination of factors, including insecure interfaces, poor device management, insufficient data protection and skills gaps. At a more fundamental level, however, part of this problem has been limited focus on security or privacy on the part of IoT device manufacturers.
What’s the answer?
For IoT developers and architects, there is a clear opportunity to onboard security at the design stage, and into the build as part of the Software Development Lifecycle. Additionally, the collaboration between Engineering, DevSecOps and QA teams need to include joint security objectives at all stages of software and hardware production.
Currently, for example, a common security problem is insufficient device authentication and authorisation, as well as weak encryption. The answer to these problems would be a combination of multi-factor device authentication and digital certificates, which would allow IoT devices to be identified and verified uniquely, ensuring that only authorised applications and individuals have access.
Developing a scaling strategy for IoT
An evolving problem requires an evolving solution
While the IoT ecosystem continues to evolve and expand, the levels of security and privacy provisions required will also increase. As IoT devices become more and more connected to IT infrastructure, IoT exploitations will become increasingly popular among hackers.
The vulnerabilities of insufficiently secured consumer IoT devices can potentially lead to large scale incidents for businesses. For instance, a vulnerable smart TV, doorbell or thermostat can open the door to a threat actor. This threat becomes even more significant in a working-from-home world: once the threat actor manages to get access to the home network, other corporate or personal devices which share the same internet connection or infrastructure will also be exposed. A business laptop on a compromised home network can potentially contaminate the enterprise systems, or even the firm’s supply chain.
Can security be reconciled with convenience?
Convenience is one of the primary utilities of consumer IoT devices. That includes interoperability, ease of use and seamless user experience. The architects and system engineers need to consider and articulate the security and privacy cost of convenience for consumers and businesses alike.
In order to reconcile convenience with strong security or privacy, firms need to implement cyber security strategies such as Zero Trust and defence-in-depth, alongside the principles of least privilege. Employing such strategies has a direct impact on improving and enhancing the security posture of an organisation. Furthermore, their adoption and implementation will elevate the resilience of the organisation in the event of a cyber attack or security breach.
It’s clear that the rise of IoT poses challenges, but there are also clear solutions. Cyber security and privacy problems require inter-disciplinary cooperation, where innovators, technologists, social scientists and policy makers, among others, can combine their forces to chart a safe way ahead for the adoption of new concepts, technologies and systems.