6 Factors That Raise the Stakes for IoT Security
Developments that exacerbate the risk and complicate making Internet of Things devices more secure.
February 10, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb576129d80db0298/64f0d3af6d7cd055c9466417/01-iotstakes.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The enterprise is finally coming to realize just how risky Internet of Things (IoT) devices are to their security postures. Whether it comes from unencrypted communication with devices, hard-coded passwords, vulnerability-ridden unmanaged devices, or insecure configurations, a huge flaw always seems to be lurking around the corner with regard to IoT deployments.
It's only natural for new-ish technology. IoT is following a common progression in security maturation that's happened so many times in everything from Wi-Fi to Web apps.
However, as IoT progresses, a number of factors add a greater depth to the IoT problem. Some up the ante considerably by putting way more at risk -- either in consequence or cost -- when an IoT device is compromised. Other factors expand the risk surface by exacerbating already extant vulnerabilities in the IoT ecosystem.
Either way, read on for some of the most common factors that raise the stakes for IoT and make the problem more acute within the enterprise.
The ubiquity of connectivity from IoT is a major pillar of digital transformation, for which enterprises are pouring billions of dollars in 2020 and beyond. In fact, IDC analysts are predicting $7.4 billion in spending over the next three years. Embedding IoT into industrial applications, into the supply chain via things like transport and product tracking, and into facilities through smart buildings, are at the spear tip of most early digital transformation investments.
This is going to create tons of new business opportunities, but at the same time embedding IoT into the most critical of physical infrastructure for business raises the stakes considerably for IoT security. This is not a new tech that can be turned on or off at will. It's part of the fabric of factories, facilities, and supply chains that businesses can't live without. What's more, it's tied to machinery that can cause serious injury or death in the event of malfunction or sabotage.
The architectural revolution of SD-WAN and 5G connectivity is meant to solve a lot of the performance issues wrapped up in the wide geographic distribution of IoT devices by directly connecting these devices to the Internet and sorting management out at the cloud application layer. While both SD-WAN and 5G introduce much-needed security in the form of encryption and the potential for better device management down the road, most enterprises are not yet architecturally equipped to centrally manage the security of such a vastly expanded edge.
Many organizations depend on backhauling traffic into the data center to give them the capability to inspect traffic from edge devices, which defeats the purpose of the SD-WAN and 5G revolution. This will cause considerable friction during what's likely to be a long transition period for large organizations.
Many CISOs are already well-aware of the dangers that insecure consumer IoT devices pose to the enterprise. Whether it's insecure smart home devices on remote workers' home office networks or consumer-class IoT devices -- such as smart TVs in conference rooms -- making it onto corporate networks, these devices widen the risk surface on so many levels. The difficulty for those setting policy for consumer IoT devices is that the acceptability of approved devices can change drastically and rapidly.
That's because of the relatively short half-life of vendor support for consumer IoT devices, many of which people traditionally hang onto for long periods of time. The backlash over speaker vendor Sonos' recent announcement that it would be dropping support for many of its older popular speakers offers a glimpse into this dynamic.
Not only is the IoT market highly fragmented, but the underlying standards for devices, network protocols, data storage, and security move faster than the tenure of an enterprise SOC analyst. In the last half-decade we've seen the popularity for dozens of standards ebb and flow. According to a count last year, there are more than 90 different IoT standards across eight categories, developed by 26 organizations and alliances.
This makes it extremely difficult to set security policies and frameworks in the enterprise setting. Architects and policy makers simply cannot keep up with the dynamic situation. Not only that, but when a really promising standard starts to arise, it inevitably starts to get poked and prodded by security researchers. They uncover cracks that can be improved -- but only if organizations stick with it long enough to see those improvements bear fruit.
The recent alarm bells raised by IOActive researchers over LoRaWAN should offer a test case for this. This fast-growing protocol has some serious vulnerabilities in how keys are protected. The question is whether organizations will commit to LoRaWAN and its security long enough to heed researchers' advice on the matter.
The healthcare industry is embracing IoT in a big way, drawn to the positive clinical results and increased profitability afforded by connected implants, health-tracking wearables, clinical diagnostic devices, and more. However, the second that a connected device is tied to a human body in any way whatsoever, the risk dimensions of IoT enter a completely different plane.
Even something as simple as a ransomware attack can become a life-threatening episode when IoT is paired with the human body. This is adding a much higher degree of responsibility, accountability, and due diligence from both vendors and health technologists as the connection between IoT and healthcare expands -- more so than ever before in healthcare IT.
All of the IoT risk factors as well as the fast-and-loose way in which IoT has been deployed to date is increasingly drawing the attention of lawmakers and regulators. Many technology pundits and government watchers believe 2020 will be the year in which IoT security regulations will start roaring onto the scene. That means compliance around IoT will soon raise the stakes for enterprise IoT security.
Most recent developments have occurred in the UK, where a new law drafted in January started to work its way through government machinery. The law is going to require that consumer IoT devices come with default unique passwords; that vendors have a way they can receive vulnerability findings from the public; and that vendors explicitly state how long they'll support devices with security updates after they've been purchased.
All of the IoT risk factors as well as the fast-and-loose way in which IoT has been deployed to date is increasingly drawing the attention of lawmakers and regulators. Many technology pundits and government watchers believe 2020 will be the year in which IoT security regulations will start roaring onto the scene. That means compliance around IoT will soon raise the stakes for enterprise IoT security.
Most recent developments have occurred in the UK, where a new law drafted in January started to work its way through government machinery. The law is going to require that consumer IoT devices come with default unique passwords; that vendors have a way they can receive vulnerability findings from the public; and that vendors explicitly state how long they'll support devices with security updates after they've been purchased.
The enterprise is finally coming to realize just how risky Internet of Things (IoT) devices are to their security postures. Whether it comes from unencrypted communication with devices, hard-coded passwords, vulnerability-ridden unmanaged devices, or insecure configurations, a huge flaw always seems to be lurking around the corner with regard to IoT deployments.
It's only natural for new-ish technology. IoT is following a common progression in security maturation that's happened so many times in everything from Wi-Fi to Web apps.
However, as IoT progresses, a number of factors add a greater depth to the IoT problem. Some up the ante considerably by putting way more at risk -- either in consequence or cost -- when an IoT device is compromised. Other factors expand the risk surface by exacerbating already extant vulnerabilities in the IoT ecosystem.
Either way, read on for some of the most common factors that raise the stakes for IoT and make the problem more acute within the enterprise.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024