Security and data privacy spending for the Internet of Things (IoT) will increase this year to $348 million, according to Gartner. Why and how are companies upping their IoT security investments? Here’s a look.
As industry interest in IoT grows, there’s no question that security has now become a major part of the IoT conversation. “IoT security has gone from being the No. 2 to the No. 1 barrier to IoT adoption,” says analyst Christian Renaud of 451 Research.
One of the biggest issues is that traditional security strategies don’t necessarily work for IoT devices, due to hardware constraints. For example, as Juniper employee Aditya Chaturvedi explained in a recent blog post, authenticating devices via cryptographic certificates, a technique widely used for applications on the Web, is not feasible for all IoT devices — because some lack the storage capacity and power to handle certificates.
“Certificates can run thousands of bytes long, multiple of them in a certificate chain, and require complex cryptographic processing,” Chaturvedi wrote. “IoT devices on a limited power budget, think battery operated sensors, can hardly afford such processing load.”
That doesn’t mean traditional authentication methods can’t be adapted to meet the needs of resource-poor IoT hardware, however. Chaturvedi suggested that IoT security solutions might build upon the foundation developed for authentication on cellular networks, which use pre-shared keys (PSKs) to authenticate automatically to an operator’s network, instead of using resource-hungry certificates. But IoT-specific solutions for this task, such as 3GPP specification 33.863, remain under development.
Enter the Blockchain
Less orthodox ideas for IoT authentication exist, too. In a report shared with SDxCentral, analysts from 451 Research pointed to the blockchain, the technology behind anonymous payment systems like Bitcoin, as a possible IoT security option. That’s because blockchain systems show that “confidence can be implemented by a virtually open-ended number of participants in a system with little or no reliance on centralized measures,” according to the report.
In other words, the blockchain can verify transactions between IoT devices by making the transactions public and using the consensus of the network as a whole to determine which transactions are valid. That approach eliminates the need for establishing centralized trust relationships between devices using certificates or other resource-intensive methods.
According to an IBM report, projects like Ethereum are already working to leverage the blockchain as a way for devices in the IoT to verify transactions. IBM calls blockchain technology “quite revolutionary” as an IoT security tool.
“In our vision of a decentralized IoT, the blockchain is the framework facilitating transaction processing and coordination among interacting devices,” IBM reports. “Each manages its own roles and behavior, resulting in an ‘Internet of Decentralized, Autonomous Things’ — and thus the democratization of the digital world.”
Alongside authentication, another major challenge for IoT security derives from the fact that the privacy stakes are often higher, since IoT data can be especially sensitive. For example, a Wind River white paper points out that an Internet-connected smart meter, which collects information about energy usage and uploads it to a utility company’s server, produces data that criminals could seriously abuse. “Information that power usage has dropped could indicate that a home is empty, making it an ideal target for a burglary or worse,” the company warns.
Chaturvedi made a similar point using the example of IoT sensors on a dam. “Just consider the criticality of the source and authenticity of water and stress level readings from a river dam,” he wrote.
How IoT Can Add Security
In the face of data privacy scenarios such as these, the obvious answer may seem to be to minimize the amount of data that organizations place on the IoT in the first place, in order to mitigate risk. Yet companies in certain industries are now taking the opposite approach — increasing their reliance on IoT devices in an effort to make data more secure, according to Renaud.
“IoT can remedy security problems,” Renaud tells SDxCentral. “It’s not always a downside.”
Renaud says that IoT adoption can prove especially helpful for businesses in industries like healthcare that seek to monitor data security more effectively. He pointed to platforms such as Bastille, a startup that secured $9 million in funding last year, as an innovation for IoT security in this context. Bastille and similar tools seek to identify anomalies through analysis of IoT network data that could signal security problems, in much the same way that programs such as Snort have done for years on traditional networks.
Yet Renaud cautions that this does not mean all types of businesses are equally equipped to handle IoT security challenges. In industries such as retail, where automated sensors and technically skilled employees are less common than in healthcare and utilities, security skills need to grow before visions such as Accenture’s IoT-powered grocery store become widespread realities.
The varying approaches and sophistication of IoT security options within different sectors of the economy drives home another important consideration: IoT is a hugely diverse ecosystem. It has many layers and involves a wide variety of devices and network technologies. As a result, there is no one-size-fits-all solution to IoT security.
“There’s no such thing as horizontal IoT security,” Renaud says. “Endpoint security on a 200-ton tractor that is remotely operated is very different from securing a traffic light.”
But for organizations that currently lack compelling solutions for their IoT security needs, new answers are on the way, as security providers familiar with traditional networking pair their expertise with operations technology companies, which have deep experience in securing physical devices.
“We’re in a healthy cross-pollination stage now,” says Renaud.