Many of the discussions about the Internet of Things, or IoT, focus on the positives of having a connected home or a connected workplace. But there's also been a focus on the weaknesses and flaws in the IoT. High on that list is security and concerns about the safety and integrity of all those devices that we're connecting together.
If security problems can cause serious problems for consumers, compromised security for the Industrial IoT (IIoT) can be devastating for organizations involved and result in a significant reputational hit when devices are hacked, and even a shutdown if the attack is serious enough. As the world has become more connected over the past year, that has pushed IIoT security to the top of security professionals' agenda.
The State of Security in the Internet of Things
The bad news is that many of those responding to a recent survey say they are not prepared to protect their organizations’ infrastructure. In March 2021, Tripwire, a Portland, Ore.-based provider of security and compliance solutions for enterprises, surveyed 312 security professionals who manage IoT and IIoT devices across their organization.
According to the survey, 99% of security professionals report challenges with the security of their IoT and IIoT devices, and 95% are concerned about risks associated with these connected devices. More than three quarters of those surveyed said that connected devices do not easily fit into their existing security approach, and 88% required (or still require) additional resources to meet their IoT and IIoT security needs.
This is of particular concern for those in the industrial space, as more than half (53%) said they are unable to fully monitor connected systems entering their controlled environment, and 61% have limited visibility into changes in security vendors within their supply chain.
No Device Is Safe From Threats
One of the most significant technologies of the 21st century, IoT has the power to revolutionize our daily functions and how we interact with our homes and each other. The mass usage of IIoT is a massive opportunity but it comes with many problems that manufacturers have yet to answer, said Ondrej Krehel, CEO of LIFARS, a New York City-based cybersecurity firm. The biggest potential downside is that they are not safe from cybercriminals.
“In 2021, there is no device in the world that is 100% safe from all outside threats," he said. "Any Internet-connected device anywhere is vulnerable to some type of attack. However, considering the interconnectivity of IoT devices, a simple breach could be catastrophic and expose problems to an entire network of devices [across the enterprise], instead of just one.” Those threats include:
Botnet and DDoS attacks
Advanced persistent threats for power grids, industrial control and related infrastructure
Ransomware that controls room temperature and appliance startup
Theft of user data, such as credit cards
Remote control of a vehicle via invasion of intelligent automation systems
The Enterprise Disconnect Around IIoT Systems
The security of IIoT devices is easily its biggest problem. Manufacturers and service providers should prioritize the security and privacy of their products and should also provide encryption and authorization by default to protect users as much as possible.
Tom Winter, HR tech recruitment advisor and co-founder of New York City-based DevSkiller, pointed out that while IoT has been a great factor in the proliferation of smart homes, smart offices have yet to take flight in the same way. The fact that companies and organizations have significant security issues is one of the reasons why industrial IoT implementation has not caught on in the workplace.
There is a clear disconnect between organizational IoT systems and their users. Yet, the importance of these systems is inevitable and organizations must educate their users to build knowledge and awareness. There is one more factor: the maturity of the commercial products in the market today.
“Perhaps they are not yet ready for all types of offices just yet," Winter said. "There may need to be some time for the market to adjust to the needs of various organizations."
The proliferation of 5G networks will vastly improve both the security and performance of these IoT systems. Because not all regions globally have access to this technology yet, there needs to be patience on the part of companies before IoT workspaces become a full-fledged phenomenon.
Why IIoT Can't Be Ignored
Organizations and chief information security officers are right to be concerned by IIoT security, but the benefits and market potential are such that companies cannot sit idly by either, said Hatem Oueslati, co-founder and CEO of France-based IoTerop. One positive is that Europe, the UK, and the US all recently introduced cybersecurity regulations highlighting the importance of security, but even these suggestions can be problematic. Take firmware updates, for example. Poorly implemented FOTA mechanisms can create vulnerabilities.
Security should be an integral pillar of product strategy. No one buys thousands of smart meters without looking closely at security. Security is one reason original equipment manufacturers are attracted to the lightweight M2M standard (LwM2M). Initially, they want to reduce time to market and improve solution quality. However, standardized device management services like zero-touch device commissioning and PKI provisioning, monitoring, authentication and encryption are crucial to operating secure, cost-effective IoT solutions.
“Soon, billions of devices will deliver the goods and services we need to live, like healthcare, electricity and more," Oueslati said. "From the device to the cloud, everything must be secure and standardized so the risks are not hidden.”
Other IIoT Issues
There are other issues, too. The hype around IoT years ago was off the charts, said Ron Exler, director and principal analyst at the Stamford, Conn.-based Information Services Group. The excessive predictions about its spread explain why there are questions over why it has not spread as fast as might have been expected.
It also explains the lack of scale in enterprise deployments. Many IoT pilots launched amidst the hype but many did not scale because they could not show adequate ROI, and many enterprises are still concerned about security.
The result, Exler said, is that service providers will not do pilots. Instead, they show the ROI for full deployments, get executive buy in and then go. What is left in the enterprises are the closed systems, such as factories. In these environments, even small improvements in productivity are important and can be more easily measured. These environments are also more conducive to 5G deployment.
The lack of standards and interoperability is also a problem for enterprise IoT. Enterprises seek to lower risk and one way to do that is to rely on a multiple vendors. Plus, multi-vendor solutions can be more robust. The IT systems connecting to the operational systems are critical, too. “Without adequate standards for data exchange and security, the idea of the IoT will not reach its full potential,” Exler said.
Underlying all this is the fact that security is an afterthought. Every device is a potential entry point for hackers yet it is an open secret in the industry that the IoT ecosystem of vendors is more concerned with getting new products to market than securing them. Most consumers do not pay attention but many enterprise buyers do. The security risks simply are not worth it for them, especially when the ROI is unpredictable or fleeting.
Exler argued that while AI can help IoT, especially at the edge to collect and process the right data, it could also help with security. But it is not a panacea. 5G will help for some applications where speed and network latency are critical.