Unmanaged and Unsecured: The State of IoT Security
August 16, 2021
Driven by increased adoption of smart sensors integrated into connected devices, the Internet of Things (IoT) market segment is projected to reach USD $1.5 trillion by 2027, according to a report (1) by Fortune Business Insights. There are a wide range of solutions in the market that can significantly improve business, and personal and health outcomes through enhanced automation, efficiency, and insights.
The most popular connected or “smart” devices in business and the home include WiFi routers and internet hubs, smart TVs, mobile card readers, inventory control systems/sensors, shipping trackers, supply-chain data monitoring systems, temperature and climate monitoring solutions, connected security cameras, smart locks, internet-connected AC controls/thermostats, health devices, cleaning appliances, and more. Many of these IoT devices are made and sold by the largest technology companies in the world and deployed by others in the retail, government, healthcare, manufacturing, transportation, IT, and telecom markets.
With the number of IoT devices forecast to triple from 8.74 billion in 2020 to more than 24.4 billion units by 2030, there will be a corresponding increase in the number of issues and vulnerabilities that cybercriminals can exploit. According to research performed by Forrester Consulting, the state of enterprise IoT security in North America is unmanaged and unsecured:
- 69% of enterprises have more IoT devices on their networks than computers.
- 84% of security professionals believe IoT devices are more vulnerable than computers.
- 67% of enterprises have experienced an IoT security incident.
- Only 16% of enterprise security managers say they have adequate visibility to the IoT devices in their environments.
- 93% of enterprises are planning to increase their spending on security for IoT and unmanaged devices.
Security is a critical element of IoT deployment, yet it is often neglected in the development process. It is imperative that IoT manufacturers come up with security practices to protect both proprietary edge device IP and customer data/privacy. Insufficient IoT device security opens customers to the risk of a breach, which can lead to intellectual property theft, damage to a company’s brand, and loss of customer trust. With trillions of dollars on the line, there is an immediate need to secure devices across their entire lifecycle to help overcome complex cybersecurity challenges.
Still, organizations have been hesitant to address IoT security challenges. In enterprise environments there is the risk of not protecting operational technology (OT) environments against potential threats. The delay in securing these areas is often because manufacturers lack the resources and face a steep learning curve in implementing device security, while still under pressure to release products on time.
Another problem with security in this space is the increasing number and diversity of IoT devices, which is creating complex management problems. As a result, device management platforms that assist in this area represent just over a third of the IoT market, along with network management and cloud platforms. However, not enough of that device management is being dedicated to deploying the best security practices.
Furthermore, device manufacturers often delay security initiatives because of their inability to secure devices across the entire product lifecycle, and at scale. This is because of the need to perform secure software updates and software patching at the edge, an area that new cyber-threats have targeted.
If manufacturers do not implement effective approaches to IoT device security, the government will likely step in to regulate the market as part of their consumer protection policies. One way for manufacturers to get ahead of the curve and implement security at the device level is through specialized technologies offering these capabilities.
There is a new wave of IoT security management solutions that are being designed to address particular issues in industries where embedded security is paramount, protecting both user data and artificial intelligence (AI) /machine learning (ML) models at the edge. Security functions for encryption, storage, data transmission, and key/certificate management will be addressed in these platforms. As a result, IoT hardware manufacturers are currently moving in this direction to more easily implement device-level security by addressing all the technical, IP, supply chain, and business process challenges. Using IoT security management services and platforms means device developers can easily build their applications using secure resources without having to become experts in cryptography and complex hardware security technologies.
Organizations must be prepared to address the exposure and vulnerability associated with unmanaged IoT devices at the edge. With advisories cited in security frameworks from organizations such as the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS), a wide range of security functions must be in place to securely operate these devices as their adoption and deployment increases significantly over time. In the end, this will address the ability to respond immediately to threats, monitor devices, profile behaviors, and increase device visibility to better manage systems connected to the network.
Larry O’Connell is Vice President of Marketing at Sequitur Labs, Inc. He has more than 20 years of experience in product management, marketing and business development, primarily in Industrial IoT applications. Prior to Sequitur Labs, he led the Ethernet switch silicon product management and applications engineering teams at Vitesse Semiconductor and Microsemi Corporation (acquired by Microchip).