Unleashing the Potential of the Internet of Things and Cybersecurity

Unleashing the Potential of the Internet of Things and Cybersecurity

The rapid evolution of technology has brought about significant changes in the way business is conducted worldwide. The Internet of Things (IoT), in particular, has been transformative, enabling data-driven decision-making, enhancing efficiency, and streamlining operations to keep up with the demands of a competitive global marketplace.

IoT: A Convergence of Physical and Digital Realms

At its core, IoT represents the intersection of the physical and digital realms, encompassing a wide range of devices, sensors, and systems. Through internet connectivity, these elements work together seamlessly, providing enhanced experiences for businesses.

So far, security professionals have extensively discussed the various applications and uses of IoT and mutually agreed upon the importance of IoT security. However, have we truly grasped the bigger picture? To unlock the full potential of IoT as a fully interconnected ecosystem, cybersecurity and IoT must be deeply intertwined and synonymous.

Many experts believe that IoT is currently at a crucial juncture. On one side lies the singular value that IoT brings through isolated clusters, while on the other side lies the potential to achieve its true power as a far-reaching, interconnected IoT ecosystem. The question remains: which path will IoT take? I believe the answer lies in finding a balance between trust and IoT functionality, with cybersecurity risks serving as the central obstacle impeding the successful integration of these two domains.

If this symbiotic partnership were to occur, it would mark a monumental breakthrough across industries, revolutionizing key sectors such as manufacturing, banking, healthcare, logistics, and the supply chain. However, the current IoT and cybersecurity landscape is fragmented, presenting significant obstacles that must be overcome to achieve this transformative vision.

Embracing IoT: Challenges and Opportunities

While IoT continues its expansion across various industry verticals, it has not achieved the anticipated scale of growth. The ultimate goal is to seamlessly transition devices and their capabilities from the physical environment to an identified, trusted, and authenticated digital realm.

The increasing complexity and interconnectedness of IoT devices present numerous opportunities for vendors and contractors in the supply chain. However, they also introduce the risk of catastrophic vulnerabilities and consequences for businesses. The SolarWinds supply chain breach serves as a stark reminder of this reality, highlighting the heightened risk profile associated with IoT compared to enterprise IT systems. Cyberattacks targeting IoT can compromise the control of physical operations, offering substantial gains for attackers.

Conventional security approaches in the IoT realm do not adequately support secure and seamless transmission of information, data, or functionality. This necessitates the early-stage integration of cybersecurity considerations into the design and pilot phase of IoT architectures.

A recent report on IoT buyers revealed that today's IoT solutions lack robust multi-layered security measures. This results in vulnerabilities that necessitate unreliable over-the-air updates and patches. In comparison to enterprise IT, IoT solution design lags behind in terms of security assurance, testing, and verification.

Interoperability poses another challenge that solution providers must overcome alongside integrating cybersecurity measures in the early stages of IoT implementation. Consequently, it is not surprising that solution providers have significantly underestimated the importance of IoT trust and cybersecurity, often subscribing to a mentality of "building first and addressing cybersecurity later." However, this approach hinders the widespread adoption of IoT. It is not the value or potential of IoT that industries doubt, but rather the cost and risks associated with implementing an IoT system that lacks genuine trustworthiness and security.

From Siloes to Collective Decision-Making

So, where does this leave us? This IoT conundrum reminds me of a time when security operations (SecOps) and applications developers (DevOps) also worked independently from one another in siloes. These two teams were not trying to solve security problems collectively nor share the information and decision-making necessary to make the software development life cycle (SDLC) an integral consideration in security decision-making. Rather, it was an afterthought that was often disregarded.

To address cybersecurity concerns, a unified decision-making structure was created between the applications development and design teams and cyber security operations to assume a required mindset to influence security for enterprise applications. These teams now work together to embrace security decisions alongside application development and design. IoT and cyber security teams must also make this collaborative leap to garner the same long-term advantage and reward.

It is estimated by some reports that by 2030, the IoT supplier's market is expected to reach approximately $500 billion. In a scenario in which cyber security is completely managed, some reports indicated executives would increase spending on the IoT by an average of 20 to 40 percent. Moreover, an additional five to ten percentage points of value for IoT suppliers could be unlocked from new and emerging use cases. This implies that the combined total addressable market (TAM) value across industries for IoT suppliers could reach in the range of $625 billion to $750 billion.

Addressing Critical Factors to IoT Market Adoption

IoT adoption has accelerated in recent years, shifting from millions of siloed IoT clusters made up of a collection of interacting, smart devices to a fully interconnected IoT environment. This shift is happening within industry verticals and across industry boundaries. By 2025, the IoT suppliers' market is expected to reach $300 billion, with an 8 percent CAGR from 2020 to 2025 and an 11 percent CAGR from 2025 to 2030.

The future adoption of the IoT relies upon the secure and safe exchange of information within a trusting and autonomous environment whereby interconnective devices communicate through unrelated operating systems, networks, and platforms that enable designers and engineers to create powerful IoT solutions while security operations ensure a secure seamless end-user experience.

This will help to address critical factors such as:

Security Concerns: Security is a significant issue in IoT, as many interconnected devices create more potential entry points for hackers. Concerns about data breaches, privacy, and confidentiality of data, and the potential for cyberattacks are significant barriers to be addressed.

Privacy Concerns: IoT devices often collect and transmit vast amounts of personal data. Concerns about the privacy of this data, as well as how it is used and who has access to it, can inhibit adoption. Data protection regulations like GDPR in the European Union and various privacy laws globally also play a role in shaping IoT adoption.

Interoperability: IoT devices come from various manufacturers and may use different communication protocols and standards. Achieving interoperability between these devices is a challenge, making it difficult for organizations to build comprehensive, cross-compatible IoT systems that are secure.

Lack of Standards: The absence of universally accepted standards in the IoT industry can hinder compatibility and create confusion for businesses and their supply chain partners. Efforts to establish common IoT standards across the IoT value chain would bolster its adoption.

Data Management: IoT generates massive amounts of data, which can be overwhelming for organizations. Managing, storing, and analyzing this data can be a challenge, and many organizations may lack the necessary infrastructure and security expertise necessary to maintain this data and keep it safe from potential security threats.

Regulatory Hurdles: Regulatory environments can vary significantly from one region or country to another, making it challenging for companies to navigate and comply with the various laws and regulations related to IoT. Ensuring that the safe transmission and exchange of data between IoT devices comply with these regulations will be just as important as the security infrastructure required to do so.

In a recent survey conducted across all industries, cyber security deficiencies were identified as a significant hindrance to the adoption of IoT, with cyber security risks ranking as the foremost concern. Among the respondents, 40 percent indicated their intention to increase their IoT budget and deployment by at least 25 percent once cyber security concerns were adequately addressed.

It is important to note that specific cyber security risks vary across industries, depending on the particular use case. For instance, in the healthcare sector, cyber security encompasses virtual care and remote patient monitoring, where safeguarding data confidentiality and availability takes precedence. In the banking industry, with the rising use of APIs to meet the growing demand for financial services, emphasis is placed on privacy and confidentiality due to the storage of personally identifiable information (PII) and the reliance on data integrity for contactless payments.

The year 2021 has witnessed a growth rate of over 10 percent in the number of interconnected IoT devices, which has, in turn, increased vulnerability to cyberattacks, data breaches, and a general erosion of trust. Security professionals recognize that both the frequency and severity of IoT-related cyberattacks will escalate without effective IoT cybersecurity programs. In the absence of these programs, many organizations find themselves trapped in a localized production environment where risks are amplified, hindering deployment.

It is worth noting that IoT cyber security solution providers often treat cyber security as a separate element from IoT design and development, assessing security risks only during deployment. Consequently, they have relied on add-on solutions rather than integrating security measures as an integral part of the IoT design process.

To rectify this approach, one strategy is to incorporate the five functionalities outlined by the National Institute of Standards and Technology:

1. Identification of Risks: Establish a comprehensive understanding within the organization to manage cyber security risks to systems, assets, data, and capabilities.

2. Protection Against Attacks: Develop and implement appropriate safeguards to ensure the uninterrupted delivery of critical infrastructure services.

3. Detection of Breaches: Implement activities that enable the timely identification of cyber security events.

4. Response to Attacks: Engage in activities that promptly address detected cyber security incidents.

5. Recovery from Attacks: Establish procedures to maintain resilience plans and restore impaired capabilities or services resulting from a cyber security incident.

To integrate cyber security effectively into IoT design and development, several mitigating actions can be considered:

1. Penetration Testing: Conduct penetration testing early in the design stage and again later during the design process to identify potential security gaps along the entire IoT value chain. By embedding security measures, weaknesses can be mitigated during the production stage. Consequently, software design flaws can be identified and rectified, ensuring compliance with the latest security regulations and certifications.

2. Automated Testing and Human-delivered Testing: As the aspiration to embed security into IoT design practices gains momentum, leading to IoT-specific certification and standards, people may ultimately develop trust in IoT devices, authorizing machines to operate autonomously. Given the diverse regulatory requirements across different industrial sectors, ensuring IoT cyber security will likely require a combination of traditional and human-delivered tools, as well as security-centric product design.

3. Attack Surface Management (ASM): ASM adopts an approach to IoT that focuses on identifying actual cyber risks by identifying exposed IoT assets and associated vulnerabilities. This process enables the inventorying and prioritization of assets posing the highest risk of exposure. By mitigating the weaknesses associated with these assets, the likelihood of incidents occurring can be minimized.

4. Holistic CIA Approach: Historically, cyber security for enterprises has primarily concentrated on confidentiality and integrity, while operational technology (OT) has focused on availability. However, given that cyber security risks for IoT encompass both digital and physical security aspects, it is crucial to adopt a more comprehensive approach that addresses the entire confidentiality, integrity, and availability (CIA) framework. The cyber risk framework for IoT should aim to achieve six key outcomes: data privacy and access under confidentiality, reliability and compliance under integrity, and uptime and resilience under availability.

There is a strong realization that IoT and cybersecurity must converge to drive security measures and testing in earlier stages of IoT design, development, and deployment. Integrated cybersecurity solutions across the tech stack are already offering IoT vulnerability identification, IoT asset cyber risk exposure and management, and analytic platforms to prioritize and address security weaknesses. However, the complexity of the IoT, with its different verticals, systems, standards, regulations, and use cases, poses challenges for security solution providers in building holistic solutions for both cybersecurity and the IoT.

Further convergence and innovation are undoubtedly necessary to tackle IoT cybersecurity challenges and resolve pain points among security and IoT teams, as well as internal stakeholders who struggle to strike a balance between performance and security. 

Cybersecurity serves as the bridge to integrate trust, security, and functionality, unlocking the value of an interconnected environment and accelerating IoT adoption. It is crucial for decision-making in the IoT and cybersecurity to converge, with industry-specific architectural security solutions being implemented at the design stage as a standard practice. By merging the fragmented pieces of the IoT model, we can prioritize cyber risk and create a powerful, more secure, and efficient interconnected world.

About BreachLock:

BreachLock is a global leader in PTaaS (Penetration Testing as a Service) and penetration testing services, as well as Attack Surface Management (ASM). BreachLock provides integrated solutions on a standardized built-in framework, combining automated, AI-powered capabilities with human expertise. This enables consistent and regular benchmarks of attack tactics, techniques, and procedures (TTPs), security controls, and processes, leading to enhanced predictability, consistency, and real-time accurate results.

Note: This article was expertly written by Ann Chesbrough, Vice President of Product Marketing at BreachLock, Inc.