Due to the rapid evolution of technology, the Internet of Things (IoT) is changing the way business is conducted around the world. This advancement and the power of the IoT have been nothing short of transformational in making data-driven decisions, accelerating efficiencies, and streamlining operations to meet the demands of a competitive global marketplace.
IoT, in its most basic terms, is the intersection of the physical and digital world with distinct applications and purposes. It is devices, sensors, and systems of all kinds harnessing the power of interconnectivity through the internet to provide seamless experiences for business.
Up until today, we, as security professionals, have been very good at writing about the numerous and varying IoT applications and uses and have agreed upon the fact that the security of the IoT is important. However, have we really understood the big picture? And that is for IoT to really reach its full potential as a fully interconnected ecosystem, cyber security and the IoT must be synonymous and interdependent to be truly powerful.
So, it would only seem natural that many experts believe that IoT is at a major crossroads. On the right is the singular value the IoT brings amid isolated clusters, and on the left is the potential to unlock its true value as a powerful and far-reaching, fully interconnected IoT ecosystem. The question is, which road will it take? I believe that the answer lies in between trust and IoT functionality with cyber security risk as the core obstacle in the middle standing in the way of a successful integrated whole.
Should this homogeneous partnership occur, it would be a monumental change and breakthrough across industries and key applications such as manufacturing, banking, healthcare, and the logistics and supply chain. But today’s IoT and cyber security ecosystem is fragmented and there will be obstacles to overcome to achieve this transformation.
IoT continues to expand across almost every industry vertical, but it hasn’t yet scaled as quickly as expected. The goal is one in which devices and their functionality are dispatched to move seamlessly from a physical environment to an identified, trusted, and authenticated one.
The growing maze of connected devices and its complexity in IoT use creates many opportunities for vendors and contractors in the supply chain, but it also creates the risk of catastrophic vulnerabilities and consequences for businesses. This was no more evident than by the massive Solar Winds supply chain breach where often the IoT risk profile is much higher compared with that of enterprise IT, given a cyberattack on the control of the physical operations of the IoT yields a higher profit and more significant gain in the eyes of an attacker.
Therefore, traditional approaches to security in the IoT don’t support a secure and seamless transmission of information, data, or functionality from one point to another. This requires an early-stage integration of cyber security in the actual IoT architecture design and pilot phase.
A recent IoT buyers report outlined that there is little multi-layered security embedded in today’s IoT solution designs. This leads to vulnerabilities that, in turn, require over-the-air updates and patches, which can’t be reliably implemented. In comparison to enterprise IT, solution design in the IoT space lags in security assurance, testing, and verification.
Interoperability is another challenge solution providers must overcome alongside cyber security integration during the early stages of IoT implementation. Therefore, it should not come as a surprise that we as solution providers, have drastically underestimated the importance of IoT trust and cyber security with a mentality of “build it first and cyber security will follow.” But this is exactly what is impeding the acceleration of IoT adoption with many industries still in doubt not over the value and worth of IoT, but the cost of implementing an IoT system that is not truly trustworthy or secure.
Learn more about IoT Penetration testing.
So, where does this leave us? This IoT conundrum reminds me of a time when security operations (SecOps) and applications developers (DevOps) also worked independently from one another in siloes. These two teams were not trying to solve security problems collectively nor share the information and decision-making necessary to make the software development life cycle (SDLC) an integral consideration in security decision-making. Rather, it was an afterthought that was often disregarded.
To address cybersecurity concerns, a unified decision-making structure was created between the applications development and design teams and cyber security operations to assume a required mindset to influence security for enterprise applications. These teams now work together to embrace security decisions alongside application development and design. IoT and cyber security teams must also make this collaborative leap to garner the same long-term advantage and reward.
It is estimated by some reports that by 2030, the IoT supplier’s market is expected to reach approximately $500 billion. In a scenario in which cyber security is completely managed, some reports indicated executives would increase spending on the IoT by an average of 20 to 40 percent. Moreover, an additional five to ten percentage points of value for IoT suppliers could be unlocked from new and emerging use cases. This implies that the combined total addressable market (TAM) value across industries for IoT suppliers could reach in the range of $625 billion to $750 billion.
IoT adoption has accelerated in recent years, shifting from millions of siloed IoT clusters made up of a collection of interacting, smart devices to a fully interconnected IoT environment. This shift is happening within industry verticals and across industry boundaries. By 2025, the IoT suppliers’ market is expected to reach $300 billion, with 8 percent CAGR from 2020 to 2025 and 11 percent CAGR from 2025 to 2030
The future adoption of the IoT relies upon the secure and safe exchange of information within a trusting and autonomous environment whereby interconnective devices communicate through unrelated operating systems, networks, and platforms that enable designers and engineers to create powerful IoT solutions while security operations ensure a secure seamless end-user experience.
This will help to address critical factors such as:
In a recent survey across all industries, cyber security deficiencies were cited as a major impediment to IoT adoption, along with cyber security risk as their top concern. Of these respondents, 40 percent indicated that they would increase their IoT budget and deployment by 25 percent, or more cyber security concerns were resolved.
In addition, specific cyber security risks that each industry is addressing will vary by use case. For example, cyber security in a healthcare setting may entail virtual care and remote patient monitoring, whereby prioritization of data confidentiality and availability becomes a priority. With banking and the rise of APIs to accommodate increasing demands for more financial services, privacy and confidentiality have become a priority due to the storage of personal identifiable information (PII) and contactless payments that depend heavily on data integrity.
In 2021, more than 10 percent of annual growth in the number of interconnected IoT devices led to higher vulnerability from cyberattacks, data breaches, and mistrust. By now, we as security professionals understand that the frequency and severity of IoT-related cyberattacks will increase, and without effective IoT cybersecurity programs, many organizations will be lost in a localized production world where risk is amplified and deployment is stalled.
As pointed out, IoT cyber security solution providers have tended to treat cyber security separately from IoT design and development, waiting until deployment to assess security risk. We have offered add-on solutions rather than these solutions being a core, integral part of the IoT design process.
One way in which to make a change to this approach it to embed all five functionalities defined by the National Institute of Standards and Technology:
To make cyber security a pivotal part of IoT design and development, we can consider the following mitigating actions:
Penetration Testing: To identify potential security gaps along the entire IoT value chain, penetration testing can be conducted earlier during the design stage and again later in the design process. As a result, security will be sufficiently embedded to mitigate weaknesses in the production stage. Patches in the software design will have been identified and fixed, allowing the device to comply with the most recent security regulations and certifications.
Automated Testing and Human-delivered Testing: Aspirations of IoT-specific certification and standards embedding security into IoT design practices may one day lead people to trust IoT devices and authorize machines to operate more autonomously. Given the different regulatory requirements across industrial verticals, IoT cyber security will likely need a combination of traditional and human-delivered tooling, as well as security-centric product design.
Attack Surface Management (ASM): ASM approaches IoT based on identifying actual cyber risk by finding exposed IOT assets and associated vulnerabilities. This IoT asset discovery process allows for the inventory and prioritization of those assets that are at the highest risk of exposure and mitigates the weaknesses associated with those assets before an incident occurs.
Holistic CIA Approach: Cyber security for enterprises has traditionally focused on confidentiality and integrity, while operational technology (OT) has focused on availability. Since cyber security risk for the IoT spans digital security to physical security, a more holistic approach should be considered to address the entire confidentiality, integrity, and availability (CIA) framework. The cyber risk framework for IoT should consist of six key outcomes to enable a secure IoT environment: data privacy and access under confidentiality, reliability and compliance under integrity, and uptime and resilience under availability.
There is a strong realization that IoT and cyber security must come together to drive security measures and testing earlier in IoT design, development, and deployment phases. More integrated cyber security solutions across the tech stack are already providing IoT vulnerability identification, IoT asset cyber risk exposure and management, and analytic platforms to provide the contextual data needed to better prioritize and remediate security weaknesses. However, not enough security solution providers are building holistic solutions for both cyber security and the IoT due to its complexity, different verticals, systems, standards and regulations, and use cases.
There is no doubt that further convergence and innovation are required to meet IoT cyber security challenges and to address the pain points among security and IoT teams, as well as internal stakeholders who lack consensus on how to balance performance with security.
To unlock the value as an interconnected environment, cyber security is the bridge in which to integrate trust, security, and functionality and accelerate the adoption of the IoT. Siloed decision-making for the IoT and cyber security must converge, and implementation of industry-specific architectural security solutions at the design stage should become standard practice. By working together to merge the pieces of the fragmented IoT model, we can put cyber risk at the forefront of the IoT to generate a powerful, more secure, and effective interconnected world.
BreachLock is a global leader in PTaaS and penetration testing services as well as Attack Surface Management (ASM). BreachLock offers automated, AI-powered, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack tactics, techniques, and procedures (TTPs), security controls, and processes to deliver enhanced predictability, consistency, and accurate results in real-time, every time.
Note: This article was expertly written by Ann Chesbrough, Vice President of Product Marketing at BreachLock, Inc.
Join us for our webinar to learn how to tackle challenges, launch a program, and choose the right solution.
Join the conversation with security gurus to learn about technologies that can shield your web apps from stealthy attacks.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.