Don’t get caught in an IoT security nightmare

Developing an IoT security competency and implementing an IoT risk assessment program should be an important strategic focus for any company implementing an IoT strategy.

A great race is underway among companies in the industrial sectors to be leaders in the Internet of Things (IoT) realm. Companies are off and running in their plans to execute IoT strategies, and many are already connecting all manner of “things” to gather and analyze data about product usage and performance, factory output, maintenance issues, etc.

The proof is in the spending. A June 2017 report by research firm International Data Corp. (IDC) said spending on IoT in 2017 was expected to grow 17% compared with the previous year, reaching more than $800 billion. By 2021, IDC said, global IoT spending is expected to reach about $1.4 trillion, including hardware, software, services, and connectivity that enable IoT.

As management consulting firm Bain & Company points out in a recent report, the industrial and enterprise markets are poised to become the largest IoT battlegrounds, with $300 billion in expected revenues by 2020. Bain surveyed more than 500 industrial companies and 150 IoT vendors around the world for its study.

Industrial applications are likely to be among the biggest markets for IoT devices and services in the coming years, according to Michael Schallehn, a partner in Bain’s Technology Practice and an IoT expert. And why not? IoT promises all sorts of benefits for facilities such as factories and warehouses, where companies can make significant improvements in processes and deliver truly “smart” manufacturing operations.

Need for a security focus

The IoT discussion at many industrial businesses today is often centered around business use cases and the most appropriate architectures and technologies to deliver on those use cases. One of the biggest expected benefits of this emerging connected world is being able to gain new insights about product usage, customer preferences, process flows, etc.

Often the way to gain those insights and make better decisions is through advanced data analysis. As a result, many promising use cases depend on the ability to leverage the power of both edge and cloud analytics to produce timely and accurate operational insight. Consequently, an understanding of when, where and how to analyze data that is gathered from IoT devices is a major part of any successful IoT strategy.

What might be getting left behind, however, in the rush to connect every possible thing to powerful insight-generating capabilities in the cloud, is the need to carefully evaluate and secure every component of the IoT ecosystem. Failing to do so can be a big mistake, especially in light of the devastating attacks that have already taken place and the risk of seemingly-innocuous IoT devices becoming the source of broader compromise of enterprise security.

One of the most prominent recent IoT-based incidents was the October 2016 distributed denial-of-service (DDoS) attack launched against Dyn Inc., an infrastructure provider that offers managed DNS services. This incident temporarily brought down some of the largest sites on the Internet, and Dyn confirmed that one source of the traffic that caused the service outage were IoT devices infected by the Mirai botnet.

A June 2017 report from strategy consulting firm Altman Vilandrie & Co. showed that nearly half of U.S. organizations using some sort of IoT network (48%) have experienced a recent security breach. That’s based on a survey of 397 IT executives in 19 industries conducted in April 2017. Anything with an Internet connection can be hacked, the firm noted, and this creates significant financial and legal exposure for organizations as well as safety concerns for workers and consumers.

The survey also revealed the significant financial exposure of poor IoT security. The cost of the breaches covered in the survey represented 13% of the total revenues for companies with revenues under $5 million annually, and tens of millions of dollars for the largest enterprises. Nearly half of businesses with annual revenue of more than $2 billion estimated the potential cost of one breach to be more than $20 million.

Create a comprehensive program

Not surprisingly, cyber security is top of mind with senior executives and boardrooms these days, with recent events such as the huge Equifax data breach getting a lot of attention. That means IT and security departments should have no difficulty making security provisions for IoT a high priority.

When thinking about how to provide robust IoT security, it’s important to consider the various components of the IoT ecosystem—including the connected devices and products, sensors, firmware, applications, application programming interfaces (APIs), networks, and databases—both in isolation and working together as a part of an integrated solution.

While each component may independently provide sufficiently robust and comprehensive security capabilities, the actual security of the entire solution will depend on if, when and how these capabilities are leveraged when the final application is designed and implemented. Organizations need to create comprehensive IoT security risk assessment programs to evaluate IoT solutions before deployment.

While such risk assessment programs should cover the robustness of the technologies employed, it’s also important keep in mind the “people” issues, and have in place effective policies, procedures, governance and training programs to ensure strong operational oversight of the people responsible for critical IoT subsystems.

Often it is the failure of these people, who are charged with ensuring that security tools and procedures are promptly and effectively employed, that creates the opportunities for successful security exploits. However, people will always make mistakes. In an increasingly complex security threat landscape, companies need to examine how to best employ automation and machine intelligence to complement the efforts of their operational and security teams and reduce the risk of human error.

Developing an IoT security competency and implementing an IoT risk assessment program should be an important strategic focus for any company implementing an IoT strategy. Only then will organizations be able to safely reap the benefits available from a world of cloud intelligence and increasingly connected things.