IoT security: mapping the obstacles

by Yvhan Smal - Junior Security Engineer
| minute read

As the Internet of Things (IoT) is quickly gaining ground in important industry sectors such as energy, utilities, transportation and manufacturing, security is becoming more and more of an issue. Especially since IoT-based cyberattacks are already a painful reality in today’s industrial world. According to Gartner, one in five organizations has suffered at least one such attack between 2015 and 2018.

To protect against those cyberthreats, worldwide spending on IoT security has already increased from nearly 1 billion USD in 2016 to slightly more than 1.5 billion USD last year. This year, it is expected to approach the 2 billion USD mark. And Gartner is forecasting a further spending growth to almost 2.5 billion USD in 2020, surpassing the 3 billion USD mark in 2021. By that time, regulatory compliance will have become the main driver in the adoption of IoT security technologies. (You can read more about this in a previous blog post on Industrial Cybersecurity 4.0.)

Meanwhile, the main growth driver for IoT security remains the need for security managers to understand what is actually happening in their company’s increasingly complex operational environment and where to focus their attention. As a result, Gartner expects to see a strong demand for tools and services aimed at improving discovery and asset management, security assessment and penetration testing.

IoT security considerations.

These tools and services are all the more necessary, as the Industrial Internet of Things (IIoT) or Industry 4.0 shows itself to be a highly complex ecosystem. It involves a wide range of aspects: from the actual IoT devices, such as connected medical devices, to the necessary communications infrastructure and interfaces, not forgetting the people that have to work within this demanding new environment. All these different aspects need to be carefully managed – from a security perspective as well.

To complicate matters even further, the majority of IoT devices are typically so-called constrained devices, in that they have limited capabilities when it comes to processing, memory and power. Therefore you cannot effectively apply advanced security controls , putting them – and the environment on which they rely – at risk as the CIA Triad is hardly assured.

And while we’re at it, here’s another IoT security challenge for security managers to take into consideration: the inability to easily upgrade or patch IoT devices. Though the typical advice for avoiding cyberattacks continues to be ‘Install the latest patch’, applying systematic security updates to IoT devices is simply not realistic, for example, in an industrial setting, as it can easily jeopardises the stability of the industrial machines. Also, these devices are widespread in a fairly large environment most of the time and not all of them can support over-the-air updates, meaning they must be physically accessed to be updated.

IoT security standards.

Finally, there is also the issue of standardisation, which is key to achieving true interoperability between devices and applications. Unfortunately, as Gartner also points out, technical standards for specific IoT security components in the industry are only now just starting to be addressed across established IT security standards bodies, consortium organizations and vendor alliances. As a result, there aren’t that many standards in this security field yet, apart from ETSI TS 103 645. And that first globally applicable standard for consumer IoT security was only launched last February by the ETSI Technical Committee on Cybersecurity (TC CYBER).

Having mapped the main obstacles in the field of IoT security, we will present you with some recommendations and best practices in our next blog post.