Why IoT deployments can’t afford not to focus on security


More connections mean a larger target area for cybercriminals to attack but advances in connectivity, hardware and software security are equipping IoT organisations to fight back. The challenge is to balance investment in security with what the business case can stand, writes George Malim.

As IoT grows so do cyberattacks

As the number of IoT connections accelerates further into the billions, the volume and diversity of cyberattacks is also increasing, placing greater emphasis on security in IoT organisations’ minds as they assess not only the financial cost of breaches but also the impact of reputational damage. Research by security specialist, Kaspersky, has uncovered that more than 1.5 billion attacks have occurred against IoT devices in the first six months of 2021.

The firm’s telemetry data, which it draws from its honeypots that collect attack information, has shown that cyberattacks on IoT devices have increased by more than 100% since the previous half-year.

Are you investing too much or too little in IoT security?

This reveals that further improvements in understanding of potential threats facing IoT deployments are needed and stronger action to mitigate security weaknesses needs to be taken. However, investment in IoT security needs to be proportionate to the risk and there is a concern that investing too much in IoT security could hinder scalability in future or delay time-to-market now. Bluntly, IoT services need to have sufficient margin to ensure they can be provided securely. The scale and range of this challenge is well-understood and reflected by predictions of increased spending on IoT security from analyst firms. Research firm IoT Analytics projects a CAGR of 44% in spending on IoT security in the period 2017-2022.

A look at the IoT security market and spending

Technavio has also been monitoring the IoT security market and predicts it is poised to grow by US$80.94bn during 2020-2024, progressing at a CAGR of almost 37% during the forecast period. IoT Analytics’ latest update reports that spending on enterprise IoT solutions
grew 12.1% in 2020 to US$128.9bn, with the COVID-19 pandemic having different impacts on different segments of the IoT market. For example, spending on IoT hardware grew 5.4% in 2020, while spending on IoT cloud and infrastructure services grew 34.7% in the same
timeframe. Many hardware installations were postponed as travel came to a standstill and capital expenditure budgets were frozen.

Nevertheless, companies increased their spending on IoT security in 2020 by 40.3%. This sounds massive but is still just 3% of total enterprise spending on IoT solutions, as shown in Figure 1. The surge in high-profile security attacks led companies to increase spending in the areas of cyber and IoT security. IoT cybersecurity incidents that were visible in the media, such as hacks of Amazon’s Ring cameras in late 2019, led to increased awareness of the need for better protection of IoT devices.

Correspondingly, a recent survey by IoT Analytics found that an overwhelming 83%
of information technology professionals implemented stronger cyber hygiene among employees during the pandemic and plan to continue prioritising the subject after COVID-19. Other areas that saw significant increases in spending include cloud infrastructure for IoT deployments and IoT software applications.

This level of spending will need to increase in order to address the proliferating number of threats which are exacerbated by growing IoT device shipments. Internet of Things connections are expected to exceed 23 billion across all major IoT markets by 2026, according to ABI Research. The analyst firm’s ‘Device Authentication in IoT Technology’ report reveals almost all those connections will be faced with incessant and constantly
evolving cyberthreats, forcing implementers and IoT vendors to embrace new types of
security to protect managed fleets and connected assets. Secure device authentication is among the top-tier investment priorities for key IoT markets, the firm reports. It expects that hardware focused IoT authentication services will reach US$8.4bn in revenues by 2026.

While these security gaps present a significant challenge for companies and end-users, they also represent a substantial opportunity for players in the IoT market, including IoT service providers, vendors, platform operators and information technology (IT)/operational technology (OT) security organisations. IoT organisations therefore need to prioritise addressing their greatest risks and find rapid and cost-effective ways to protect themselves and users.

What are the main IoT security threats?

The IoT skills gap means most organisations will turn to the IoT ecosystem to find ways to achieve more secure deployments that meet their cost and time constraints.

The main threats include:

• Lack of physical hardening of IoT devices
• Insecure data storage and transfer
• Weak passwords
• Insecure ecosystem interfaces
• Botnet attacks
• AI-based attacks
• Weak device management

Botnets, advanced persistent threats, distributed denial of service (DDoS) attacks, identity theft, data theft, man-in-the-middle attacks and social engineering attacks are the main crimes that target IoT but this is not an exclusive list. The steep growth in new IoT connections over the next five years with increased digitisation and automation across many different industries will see greater need for IoT security but ABI Research points out the amount of IoT security revenue does not always correlate with the amount of IoT connections, and some markets are expected to experience disproportional revenue..

What is ‘Thin IoT’?

The increasingly rich functionality and capability that connected devices are assembling and are set to derive substantial value from increases the security risks. Transforma Insights has reported cloud and edge computing, machine learning, mobile private networks and 5G are just a few examples of richer functionality being applied to IoT and these are enabling enterprises to use IoT for more critical systems, with the consequent requirement for more sophisticated features and capabilities, and, of course, more robust security.

At the same time the firm says an almost contradictory trend is occurring. IoT technologies are being rapidly refined to support applications deployed in highly constrained environments. Large volumes of connections must cope with limitations on, for instance, access to power, physical and cost limitations on componentry, and geographical remoteness limiting availability of networks. Transforma Insights refers to these constraints as the five Ps: power, processing, place, price and proportions.

The key to overcoming these constraints is in delivering what Transforma Insights terms Thin IoT. This consists of deploying an optimum set of technologies across each of the five layers layers that make up a solution: device hardware, device software, networking, middleware, and edge computing and machine learning.

These include system-on-chip, chip-onboard, embedded operating systems such as TinyOS and RIOT, networking technologies such as message queuing telemetry transport (MQTT), constrained application protocol (CoAP), and low power wide area (LPWA) technologies, thin middleware, and data processing techniques such as tiny machine learning (TinyML).

How iSIM and eSIM ensure IoT devices are secure

IoT device connectivity is becoming more secure, ensuring the identity of the device is better protected than using a traditional plastic SIM card. New SIM technologies such as embedded SIM (eSIM) and integrated SIM (iSIM) have the potential to offer improved security but adoption is at an early stage and there are challenges to be addressed regarding secure key sharing between network operators.

The embedded universal integrated circuit card (eUICC) should remove the need for physical sockets in devices which can be a point of criminal ingress and the capability to manage embedded or integrated SIMs remotely via remote SIM management systems. These systems or platforms provide users with a fully-tested means to provision secure connectivity and protect the device identity.

The physical machine form factor (MFF2) embedded SIM has been available since 2016 and the ability for remote SIM provisioning (RSP) for several years before that, finally being standardised in 2016. Since then, the integrated SIM (iSIM) arrived in 2018 moving the SIM functionality to a secure location on silicon along with the application processor and radio, all implemented on the same system-on-a-chip hardware.

The challenges of IoT security going forward

With cybercrime increasingly professionalised and state actors targeting enterprises, IT security in general is a priority and IoT security in particular is being seen as an important subset of that.

Organisations now understand the threat surface is radically enlarged by IoT devices and the consequences of a breach can be catastrophic. The challenge is to secure IoT in a way that lower value applications can afford. Innovations such as eSIM and iSIM allow improved security to be installed at the point of manufacture and reduce frauds and crimes associated with localised configuration and traditional plastic SIMs.

However, there is still work to be done in defining how SIM security will be maintained and managed. Inevitably secure connectivity enabled by secure SIM technology does not comprehensively address the security challenge. At every stage of the business chain, security must be prioritised to protect users, data and the enterprise.

However, as is typical with all technology, the point at which a secure architecture touches a human is often its weakest. IoT must therefore adopt the latest innovations in security to protect itself, but it must also focus on the fundamentals of strengthening passwords, controlling identity and access management, and addressing the easy wins of hardening IoT Devices.

This article first appeared inside IoT Now magazine. Subscribe now to access free, expert content.