The Internet of Things (IoT) offers potential for global disruption and value creation, rivalling that of the internet itself (and possibly much more), but it is an immature domain where product and technology categories aren’t yet clearly established. Security has always been an ecosystem play in the IT side, and with the convergence of IT and IoT, that ecosystem has expanded drastically.
A leading theme across all industries implementing IoT solutions is the opportunity to reduce security and compliance risk in organisations by deploying IoT technologies (66.1%), including monitoring for security breaches, loss prevention and public and workplace safety.
In an effort to make the IoT landscape more practical to navigate, analysts at 451 segment IoT into two areas:
- Thing-centric: elements required to get devices talking to each other – edge computing, connectivity modules, operating systems, wearable technologies and edge gateways.
- Internet-centric: infrastructure and services required to complete an IoT solution – bandwidth, connectivity, middleware and application platforms, big data and cloud, systems integration, managed services and consulting.
What are the security risks?
The thing-centric side is very new to the IT world and has not traditionally been part of the regular IT rigour around security. But now thing-centric components are in communication with internet-centric components and with that comes a larger attack surface area.
Thing-centric IoT device vulnerabilities
- Built to last for decades, these devices can exceed their effective encryption technology
- They are designed without any kind of security or they can’t support security
- Construction hinders the ability to remotely patch the endpoints if a vulnerability is discovered
- They are open to exploitation by hackers which in turn could lead to more serious network hacks
- Their identity doesn’t include robust access control mechanisms, enabling hackers to gain control by mimicking the devices
In the world of IoT, networking protocols may have been developed with essential communication as the only function in mind. This creates other opportunities for vulnerabilities.
Thing-centric network vulnerabilities
- IoT networks and endpoints may not have adequate encryption
- Devices employ hundreds of protocols, some of which are well recognised by enterprises – ZigBee, Thread, MQTT – increasing their vulnerabilities, especially if there is a lack of strong encryption
- IoT networks are often flat compared with typical IT networks, compromising more critical functionality
- The flat topology also creates exposure to centralised management or data systems
Since most of these assets could be in the field for years, with no easy way to secure, patch and monitor the assets, their risks are compounded.
Impact on internet-centric security
- Thing-centric data could contain malware, so it needs to be inspected, stored, separated, sanitised and sandboxed to eliminate any possibility of an executable code entering the system
- Surface area also increases from the physical to the virtual world with vulnerable applications, compromised machine identities, policies and entitlements being targeted for violation, leading to an increase in the security footprint on the IT side as well
New use cases, standards, protocols, devices and things will keep driving the growth of this advanced IoT security market, especially on the IT product and services side, since they have to deal with all of the legacy vulnerabilities on the ‘of things’ side that have accumulated for decades.
IoT security is going to be a confusing market segment for the indefinite future as the broader IoT sector rationalises around common-use cases, ROI models, standards and architectures. This confusion, however, creates opportunities for solution providers who can address these vulnerabilities now.