Industry analysis: Does IoT security still have further to go?

This year marked the fifth annual Internet of Things Day, where creators, experts and users come together to celebrate the revolution that is the IoT.

However, the security of these devices – or lack thereof – casts a dark shadow over the continued success of the IoT. Who does the responsibility fall to, and what solutions are there, in order to ensure that connected devices do not leave us at risk?

We have gathered insight from industry experts, who share their views on what they believe is the solution – if, indeed, there is one – to the ongoing struggle to secure the IoT.

Identity in the IoT – Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock:

"The Internet of Things has come a long way in the five years since the first IoT Day in 2011. There is much to celebrate, of course – the creation of connected devices has enhanced our lives at home, at work and even on city-wide scale. However, as exciting as this concept is, the sheer volume of IoT devices has created a vast attack vector, and one that is growing at an unprecedented rate. According to industry analyst firm Gartner, 25 billion connected things will be in use by 2020. That’s more than five times the number of IoT devices in use in 2015.

"Of course, a network this big is bound to attract attention from malicious parties. Sure enough, if you type the words ‘IoT’ and ‘hack’ into Google, you’ll find thousands of examples of attacks on connected devices.

"So how can we combat the threat? Identity management solutions are key to securing the IoT, because they provide a means to understand where these threats are coming from. If a connected device can be identified, it becomes that much easier to confirm that the data it is generating is genuine and can be trusted. And importantly, giving every connected object a validated identity makes it possible to automatically prevent malicious actors from accessing and controlling the devices."

Avoid IoT security shortcuts – Thomas Fischer, Principal Threat Researcher at Digital Guardian:

“In the race to be first to market with a new IoT device, organisations are overlooking basic security principles and are putting users at risk. You don't have to look far for examples of how this could potentially occur. Take a well-established IoT technology such as smart home meters. If criminals were able to access the network these devices communicate through, they could quickly establish usage patterns to monitor when the house is or isn't occupied and plan a break-in accordingly.

“The time and cost pressures on competing firms to get their latest product to market first is one of the major contributors towards security flaws. These devices are often produced with simplified hardware in order to keep costs down, but this means that they lack basic principals of integrity and failover. Often the more simple and user-friendly these devices become, the less secure they are.

“Companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there's a much higher chance mistakes will be made and vulnerabilities missed. It is critical that organisations developing IoT technologies – and even those selling them – ensure these products have been developed, built and sold with security in mind."

A problem of scale – Klaus Gheri, VP & GM Network Security at Barracuda Networks:

“One of the biggest challenges for organisations is making sure that all the data gathered by IoT sensors is fed back to a central location without being eavesdropped, intercepted or modified at all. One of the barriers to securing the IoT is simply that there’s not a ‘one size fits all’ solution. Many of the current IoT security solutions available today are so unwieldy or expensive that it is simply not feasible for businesses to implement them on a large scale.

“When the size of the IoT network goes into the thousands, deploying both the device and a security solution for it becomes a logistical challenge – how do you deploy the equipment? How do you manage its lifecycle? How do you implement security policies? Once you remove these barriers, businesses are far more willing to embrace IoT and do more about security.

“Any tool designed to provide secure, scalable connectivity for the IoT has to be relatively small, inexpensive, lightweight and mountable. It also needs to be easy to ship in large numbers and easy enough to implement and manage so that organisations don’t need to hire a whole new team of security or IT specialists.”

Operating in the cyber security stone age – Richard Beck, Head of Cyber Security at QA

"When it comes to securing the IoT, we’re operating in the equivalent of the cyber security stone age. The security and privacy implications around the growing connectivity of devices is well-documented – an ever increasing attack surface, ever more sophisticated cyber criminals and users’ acceptance that technology will permeate every aspect of their lives.

"As it stands today, from a security and privacy perspective, the IoT is broken. There is no quick fix and we’re operating with an element of risk. What’s the answer? Technology has a role to play for sure. At the very least those organisations and software development teams should consider the privacy challenges of their connected products, devices and platforms. Offering encrypted services, authenticated access should be built in.

"The battle ground for 21st century IoT will be won and lost on the grounds of privacy and security controls. Regulators should at least recommend and in time mandate minimum controls to avoid the continued exposure of our sensitive and private data as we adopted more and more connected technology services at a consumer and business level.

This won’t offer 100 per cent protection today, but it might move us on from the cyber security stone age – before the perfect ‘privacy storm’ strikes.”

Image source: Shutterstock/a-image