As industries across the aisle begin accepting the push to a more online workflow, and the recent explosion of AI highlights how close industry 4.0 and even industry 5.0 are to being realised, IoT proliferation will go from huge to ginormous.
Already, the world has some 20 billion connected IoT devices. But with all that connectivity, comes increased security concerns. Although the IoT industry is one that has no real unifying consensus on security protocols, initiatives and legislation from the EU, UK and even US governments will at least see some basic principles set.
Yet, the fact that principles and protocols are still largely down to individual organisations means sometimes, getting a temperature of the industry can prove difficult. “Addressing these challenges calls for increased collaboration among industry sectors – as well as technology firms, policymakers, standards organisations and cybersecurity professionals,” Iain Davidson of Wireless Logic tells IoT Insider. So what, if collaboration was improved, would they target to make the interconnected world of IoT more secure?
IoT security concerns
Much of current security concerns surrounding IoT currently comes from device side. “The limited computational resources on most IoT devices makes it hard to onboard powerful security protocols,” explains Davidson. This leaves them vulnerable to attacks such as malware, ransomware, and unauthorised access. This can prove problematic when it comes to the type of data the device is collecting. For medical wearables, for instance, security considerations are a lot higher due to the nature of people’s personal health .
Data and network security present further issues. Given the volume of data collected by today’s IoT devices, understandable concerns exist around identity theft, surveillance and other privacy violations. Therefore, the threat of interception on the network side, along with data manipulation and DDoS attacks cannot be ignored.
Equally, AI’s proliferation raises further concerns. “There are now some very incredibly advanced ransomware, malware, device spoofing and man-in-the-middle attacks. These pose a significant threat across sectors like consumer, transport, healthcare and energy infrastructure,” Davidson asserts.
Different industries are, as a result, implementing their own security measures and standards in silos. Yet, this fragmentation creates interoperability issues, which lead to gaps in security coverage, and soon, with the UK’s PSTI Act; the EU’s Cyber Resilience Act, and the US’ IoT Cybersecurity Improvement Act and Cyber Trust Mark, these could become solidified.
“With IoT spending projected to skyrocket by 2027, organsiations must brace for the impact of this and other incoming security regulations affecting connected devices,” warns Davidson. “Large-scale deployments expand the attack surface, so now is the time for decisive action to safeguard IoT ecosystems.”
Implementing a security strategy
“One of the biggest challenges in implementing IoT security is ensuring that defences are put in place and maintained across in every aspect of the business,” says Davidson. Currently, companies could be implementing, say, zero trust, for IoT device side authentication, but might not include that practice when it gets to staff laptops connecting into the network. That inconsistency allows points of entry for attackers.
“Securing large-scale networks across vast geographic areas or numerous locations is extremely complicated for most organisations,” Davidson explains. “Ensuring consistent security measures and updates across these dispersed networks requires proactivity, coordination, strategic partnerships and automated management tools.”
On the product side, Davidson argues the importance of injecting security at the point of manufacture, otherwise known as secure by design. “For that, they need comprehensive 360-degree security with measures to defend, detect and react,” elaborate Davidson. “Added to that, they must rehearse security regularly and feed insights back into development cycles to continually improve their security posture.”
Putting a strategy together, Davidson explains the holistic approach would include everything from managing device identity, ensuring secure communication and maintaining compliance; In terms of detection, proactive monitoring tools at device, network and application levels should be used to spot the earliest indicators of attack, and if any threats are detected, rapid response is crucial. “More organisations need to adopt this mindset. As a first step, they should assess their current IoT security profile to identify the risks before implementing defensive measures,” Davidson asserts.
Preparing for the security landscape of tomorrow
If you have been paying attention to everything up till now, you know that the good IoT security that people like Davidson argue for is something proactive. This is punctuated by the advance in technology like AI, and even Quantum, that will make breaching systems easier for attackers, and harder to fight off by defenders.
“A 360-degree approach to IoT security has become vital,” responds Davidson. “This should include strategies and technologies to defend, detect and react to today’s threat landscape. Defence strategies involve preventing unauthorised access to devices, cloud infrastructure and data. In this, the interoperable, industry-wide SIM security standard IoT SAFE has a central role to play. Defence measures should also include secure communication, outage resilience, software updates, data security policies and compliance with market and industry regulations.”
Being prepared on your side is crucial, however, Davidson highlights how keeping an eye out on your surroundings can add additional layers: “Detection is equally important, to enable companies to monitor device behaviour, analyse network traffic and use analytics to spot potential breaches or anomalies. Should detection measures identify any red flags, companies must react using pre-planned countermeasures, some of which may be automated. Action can include quarantining and cleaning affected devices and applying corrective actions across all systems. Reporting breaches and anomalies also fall under reactive measures.”
And from shoring up defences, to keeping a look at the environment, there is no better way to respond to if a breach should enter your security domain by rehearsing. “There is no substitute for it. It prepares them to take swift action when they need to. As they have rehearsed the scenario, they know what it looks like and they have a plan ready to implement. Rehearsal can also help identify weak areas that, if addressed, could avert a problem occurring in the first place,” concludes Davidson.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.