The Internet of Things (IoT) brings with it myriad opportunities and benefits across a range of industries — manufacturing, retail, telco, healthcare, to name a few. Eighty-five percent of businesses plan to implement IoT by 2019, according to an HPE Aruba study.
But with this technology, and the 20 billion to 50 billion connected IoT devices expected by 2020, comes massive security challenges. “Get them wrong and it could be the end of the business…really,” wrote John Moor, IoT Security Foundation managing director, in a white paper.
Any of these Internet-connected things, from warehouse equipment to electricity grids, can potentially be hacked. This can lead to lost revenue, bad press, reputation damage, and, in the case of some IoT security concerns, human injury and death.
For these reasons, IoT security is top-of-mind for chief information security officers (CISOs) and security analysts, according to the new Verizon Data Breach Investigations Report.
IT executives often chose IoT security products and services based more on provider reputation and product quality rather than focusing on cost as a primary decision driver, according to consulting firm Altman Vilandrie & Company. In its recent survey 48 percent of respondents listed brand and vendor reputation as the most important factor, compared to only 16 percent that listed price as a top concern.
“The two most important decision-making criteria were brand and reputation, and product quality,” said Altman Vilandrie & Company Principal Ryan Dean, who co-directed the survey. “To me, that means established security players, if they can develop products that complement their services, that could put them in a very good position [in the IoT security sector]. For startups, it’s a bigger hurdle.”
IoT Security: ‘It’s a Cyber-Physical’ Challenge
“One of the trends that we’re seeing is this idea that companies as a whole are trying to learn how to embrace the changes that this concept of IoT and securing is bringing to their traditional organization,” said Gartner analyst Earl Perkins. “We’re seeing across the board people trying to incorporate it into their IT thinking, and they are having some challenges in that regards because it’s not all about information, it’s not all about software. The problem with the whole concept of IoT is that it’s a cyber-physical issue. It includes software but it also includes the changes of state that the software induces in the physical environment.”
Perkins said the technologies involved in securing IoT devices and networks roughly fall into three groupings: discovery and profiling management, identity and access, and smart detection response and analytics.
“There are products that say, ‘I bet you don’t even know what’s out there, do you? I’ve got a tool to reach across networks and I will find them for you, paint them on a screen, visualize them for you. I will profile them, figure out their attributes, and what are the things you need to know about this device to secure it.”
“Identity and access takes it a step further,” Perkins said. Identity-based security controls access to a digital product or location based on the authenticated identity of an individual or device. Access control restricts who or what can enter or use a device, or access a network. It limits access to authorized users.
“This lets you manage it like you manage traditional access and identity today,” Perkins said.
For this reason, traditional security vendors like ForgeRock, a digital identity and access management firm, and network access control suppliers like HPE Aruba and Cisco remain prominent vendors for these types of IoT security products.
Late last month Cisco jumped on the IoT security train with its IoT Threat Defense cyber security architecture. This isn’t a new product, but rather a bunch of Cisco’s existing security services and software bundled together to target IoT security.
“But then you also have startups looking at areas related to things like [IoT solutions for] key management: Digicert, for example,” Perkins said.
Third up is smart detection. “Now I’m trying to detect anomalies, then I’m able to do some type of response and analysis in real time or after it occurs,” Perkins said. “These are products based on behavioral analysis and some machine learning involved.”
Startups in this sector include SparkCognition, Darklight, and Darktrace, as well as older anomaly detection vendors.
IoT Network, Edge Security
“What’s going on right now is enterprises are extending the existing security infrastructure or security components they have already invested in to address early IoT issues,” said IDC analyst Robert Westervelt who co-authored a new forecast that said the worldwide market for IoT security product will grow from $11.2 billion in 2017 to $21.2 billion by 2021. “Some of the issues, depending on the industry and use case, are surely embedded system security. And so that’s why we think those two segments — device and sensor, and network and edge — are going to have the most growth over the next five years.”
IoT security risks vary by industry. Healthcare organizations, for example, are using IoT patient monitoring tools that rely on sensors, which collect patient health data, and then transfer this data to the cloud so a physician can analyze it.
The sensor itself presents a security risk. So do the cloud-based services, which create risks associated with data collection and access to patient information.
Andy Smith, senior director of product development for Oracle’s security portfolio, said in some ways IoT security is similar to mobile device security.
“It’s the same kind of approach that you take in identity and device management: how do I provision trust to that device? And once I trust that device, every time it accesses the network, I need to authenticate that device,” Smith said. “IoT security very much strongly builds on core identity management technologies and fundamentals.”