The most important high-tech story to watch in 2017 will be whether companies make substantial improvements in securing the Internet of Things ecosystem, which includes devices, networks, platforms and services.
This story will be so crucial because the market potential is enormous. More than 50 billion devices are predicted to be used by consumers by the year 2020, according to industry analysts and high-tech companies. But this won’t happen nearly as fast as projected unless more and better security is built into the entire IoT ecosystem.
New U.S. Department of Homeland Security Report
The seriousness and extent of these security concerns surfaced in a new U.S. Department of Homeland Security report titled, Strategic Principles for Security the Internet of Things, which says:
“The time to address IoT security is now. Many of the vulnerabilities in IoT could be mitigated through recognized security practices, but too many products today do not incorporate even basic security measures. There is a lack of incentives for developers to adequately secure products, since they do not necessarily bear the costs of failing to do so. While the benefits of IoT are undeniable, the reality is that security is not keeping up with innovation.”
The IoT market is as weak as its weakest link. A hacker who gains access to a corporate or home network could remotely control each of the connected devices to make them a part of an orchestrated attack. If the broader network is compromised, the hacker could also capture other sensitive data on the network such as peoples’ financial information.
Hacking surveillance cameras
A recent security attack underscores the severity of this problem. Dyn, a company that monitors and routes Internet traffic, was hit with a severe “distributed denial of service” attack in October that flooded its servers with so many fake requests for information that they could not respond to real ones, causing the servers to crash. Unknown hackers took down the company’s routing network, which allowed them to knock many popular websites such as Amazon, Twitter, and Netflix offline.
By hacking into unsecured IoT devices, mainly home surveillance cameras, hackers took control of these devices to attack other devices on the network, which served as gateway to take down the company’s routers and attack the entire corporate infrastructure including the popular websites.
These types of IoT devices are easily hackable because they are designed to be accessed over a local network and they come with unsecured, hard-coded default passwords, which can be easily compromised.
Security slowing shift from product to service businesses
Security has hastened the growth of the IoT market as companies pivot from product-focused businesses towards new service and software application business models. To do this faster and more effectively, the security issues need to be solved. Product and service application development, device and service testing, and platforms need to be as secure as the hardware devices and equipment. Connecting the security “dots” – digital, operations, technology and strategy – will be important to building secure IoT offerings.
A one-size-fits-all security solution for IoT devices and platforms does not exist. But the remedies for this problem need to account for attack risks and the costs of security failures.
Over the past two years, consumer purchases of IoT devices such as wearable health devices, connected vehicles, and home monitoring devices have not grown as quickly as once predicted. Security concerns are among the main reasons. An Accenture research report, Igniting Growth in Consumer Technology, finds that 18 percent of consumers decided to quit or terminate an IoT device or service until they were assured of its safety.
As this year unfolds, a specific IoT security story to track will be which companies are embedding security technologies during the design phase of products. Integrating security at the start of product design – a practice few companies do now — tends to be easier and less expensive than after the product has been manufactured.
Companies should further consider the full lifecycle of deploying, provisioning, or updating devices. The recent attack at Dyn is a reminder that many organizations only consider the deployment of an IoT device, and are unable to effectively update the devices once it is deployed. Although security vulnerabilities are usually present in any products running software, IoT offerings are especially vulnerable.
Companies could also program IoT devices to require users to change passwords upon first use. This would have been helpful in preventing the Dyn attack.
Technology providers must urgently address these very real security concerns to enable continued growth of the Internet of Things.
He can be reached at david.a.sovie (at) accenture.com.