By Reza Moqadasi, CISO, ITRS Group
Since its inception, the Internet of Things (IoT) has grown at a steady pace – but, finally, it is positioned to break into the mainstream. Demonstrating this growth, a quarter of businesses now use IoT technology, compared to just 13% in 2014. And this expansion is only set to continue, with IoT underpinning an increasing host of new technologies, including driverless cars and smart homes.
However, as IoT continues to proliferate, security becomes a crucial concern – with a number of high-profile cyberattacks demonstrating the vulnerability of IoT. Certainly, this issue has forced companies to consider what they should be doing to mitigate the risk – but it also raises a much bigger question: is it possible to balance seamless user experience with strong security? At ITRS, we believe it is feasible, but it takes a comprehensive security strategy.
The rise of IoT and cybersecurity challenges
Building on a steady rate of adoption throughout its early years, IoT is now an established class of mainstream technology. This is set to accelerate further, with the number of IoT-connected devices predicted to increase to 43 billion by 2023 – an almost threefold increase from 2018. This growth is driven by a range of factors, including global consumer trends, an increasing demand for inter-connected devices, the proliferation of 5G, evolution of edge computing and the adoption of Industry 4.0.
IoT devices are brilliant in what they are designed and built for; however, typically due to their limited computing resources, they do not have adequate built-in security features. As a result, some network-connected IoT systems can potentially be a convenient target for threat actors. But the consequences of a security breach in an IoT device are not just limited to the targeted device: a compromised internet-connected IoT system might provide hackers with full access to the rest of the network and, potentially set the stage for a ransomware attack.
Will security problems hold IoT back?
In order to put the scale of these evolving security challenges in context, let’s consider a ‘real life’ use case.
IoT, in combination with 5G, will form the foundation of the infrastructure on which self-driving cars and autonomous vehicles will operate. 5G will provide the expansive, ultra-reliable low latency networks which facilitate the communication, control and monitoring of the self-driving cars. Meanwhile, IoT devices, among other cyber physical systems (CPS), will provide the vast array of sensors, from actuators to smart vision equipment, inside the vehicles, as well as those in the outside environment as part of the underlying infrastructure.
As this example demonstrates, security attacks on such critical infrastructure could potentially lead to catastrophes involving injuries and loss of life, not only for the passengers of the driverless vehicles, but also innocent bystanders.
Further complicating the landscape, these security concerns cannot be attributed to any single underlying cause. Rather, they’re driven by a combination of factors, including insecure interfaces, poor device management, insufficient data protection and skills gaps. That being said, at a more fundamental level, part of this problem has been limited focus on security or privacy by IoT device designers and manufacturers.
What’s the answer?
There is a clear opportunity for IoT developers and architects to onboard security at the design stage and into the build as part of the Software Development Life Cycle (SDLC). What’s more, the collaboration between Engineering, DevSecOps and QA teams needs to include joint security objectives at all stages of software and hardware production.
For instance, at the moment, a common security problem is insufficient device authentication and authorisation, as well as weak encryption. A combination of multi-factor device authentication and digital certificates would allow IoT devices to be identified and verified uniquely, ensuring that only authorised applications and individuals can gain access.
An evolving problem requires an evolving solution
While the IoT ecosystem continues to evolve and expand, the levels of security and privacy provisions required will also increase. As IoT devices become more and more connected to IT infrastructure, IoT exploitations will become increasingly popular among hackers.
The vulnerabilities of insufficiently secured consumer IoT devices can potentially lead to large scale incidents for businesses. A vulnerable smart TV, doorbell or thermostat, for example, can open the door to a threat actor. This threat becomes even more significant in hybrid working models, which include working-from-home: once the threat actor manages to get access to the home network, other corporate or personal devices which share the same internet connection or infrastructure will also be exposed. A business laptop on a compromised home network can potentially contaminate the enterprise systems, or even the firm’s supply chain.
Can security be reconciled with convenience?
Convenience is one of the primary utilities of consumer IoT devices. That includes interoperability, ease of use and seamless user experience. The architects and system engineers need to consider and articulate the security and privacy cost of convenience for consumers and businesses alike.
To reconcile convenience with strong security or privacy, firms must implement cybersecurity strategies such as zero trust and defence-in-depth, alongside the principles of least privilege. Employing such strategies has a direct impact on improving and enhancing the security posture of an organisation. What’s more, their adoption and implementation will elevate the operational resilience of the organisation in the event of a cyberattack or security breach.
While it is true that the proliferation of IoT poses a number of challenges, there are also clear solutions. With inter-disciplinary cooperation, whereby innovators, technologists, social scientists and policy makers, among others, work together, the issues of cybersecurity and privacy can be overcome to enable the safe development and adoption of new IoT-powered technologies, systems and concepts.