The Internet of Things (IoT) has today become one of the most popular – and probably the most touted – trends across both business and technology. It is set to transform the business landscape as we know it, as we expect there to be some 50 billion internet-connected things by 2030.
These will comprise dedicated-function objects such as refrigerators, connected cars and homes, and many more. It goes without saying that IoT will have a tremendous economic impact; transforming organisations into digital enterprises and enabling new business models, enhancing productivity and client experiences.
However, the ways in which enterprises can realise any benefits will be diverse and, in some cases, laborious, as IoT is introducing a gamut of security and privacy risks to the IoT eco system. To add to the challenge, IoT security is beyond the skillsets of traditional IT leaders, as it involves the management of physical devices, rather than purely virtual assets. Research by Gartner shows that in 2020, more than 25% of identified attacks in enterprises will involve IoT, yet the budget allocations on IoT security are insignificant today.
With IoT projected to provide an opportunity worth nearly $2.25 trillion by 2025, every organisation is jumping on this bandwagon to take advantage of this enormous potential and communication service providers will be at the forefront of this charge. However, very few organisations are focused towards implementing a holistic and an all-inclusive security framework for their IoT offerings.
The pressing need to secure IoT applications
During the infancy stages, IoT solutions managed to get away with making security an afterthought. Yet, that approach can no longer be accepted as IoT has now become part of the mainstream and making its way into mission-critical systems. To illustrate, incidents involving Trendnet’s SecurView camera, St. Jude’s cardiac device and Jeep Cherokee have demonstrated how successful IoT attacks can result in significant financial, reputational damage. In worse cases, they can be life threatening as well.
From a security perspective, a geographically distributed structure of IoT requires data communication: which typically has associated risks across the CIA triad (confidentiality, integrity and availability). The diversity of technologies enmeshed in an IoT system therefore has the potential of introducing a range of vulnerabilities.
To secure an end-to-end IoT system, it is necessary to grasp the vulnerabilities and exploits concomitant with individual components, as well as the whole system, including human elements. This requires a comprehension of the architecture of an IoT system, the functionality assumed by the components, the data, and the control flow across the systems involved.
It is impossible to make any IoT solution comprehensively secure. However, understanding the possible vulnerabilities across different layers and the corresponding threat vectors, coupled with adoption of best practices, can certainly strengthen the security position of IoT solutions.
Possible vulnerabilities and threat vectors
IoT systems tend to be intricate and heterogeneous; they include multiple tiers, technologies, deployment locations, device manufacturers, APIs and much more. From a security standpoint, end-to-end IoT systems have numerous vulnerabilities across different strata, encompassing multiple components that are each subjected to distinctive attacks.
There are myriad threat vectors, and so attacks can ensue with or without any human involvement. Also, the scale of the infection spread is very high and rapid in case of IoT, making the negative ramifications even more pronounced. For instance, there are several focused and evolving malwares exploiting the vulnerabilities across different levels of an IoT solution.
IoT is at an inflection point and expanding rapidly into mission-critical areas, especially with the imminence of 5G. Security and privacy concerns will be the biggest hindrances to IoT adoption and growth, and therefore enterprises must seek to implement robust security measures to alleviate these apprehensions. Additionally, governments must focus on driving unified standards/regulations for IoT security that don’t exist today, while those in academia must disseminate learnings to all the key stakeholders and increase research focus on IoT security.
To strengthen trust in IoT, all the stakeholders need to join together and dedicate themselves to making IoT security a mandatory aspect and a crucial point of integration into their operations.