As with many hyped technologies such as IoT, security is an overlooked topic. A major breach in IoT happened in 2017 when over 100,000 internet-connected security cameras were found to be vulnerable.
Kimmo Aura, Program Director, Business Finland, Connectivity from Finland’s telecom acceleration program takes a look at the state of IoT security today.
Lack of security is present in the consumer IoT market, personal and home devices and services as well as in the industrial IoT (IIoT) sector. Based on different research sources, the underlying reasons for security threats in the consumer and industrial markets are different, but the risks and damages to both can be irreparable and immeasurable in economic terms.
Consumer IoT Security
Over the next two years, the number of IoT devices entering households is predicted to climb steeply from nine devices per household currently to 500 by 2022 according to Gartner with IoT connectivity being bundled into products whether people want it or not.
According to a research funded by F-Secure, the leading cyber-security technology house, many IoT devices would go unprotected because consumers do not know how to change the manufacturers’ default security settings.
The drive to be the first to market has meant that many manufacturers have not even considered the security implications of their devices. They have either not built appropriate security measures, use inadequate measures or, in some cases, provide no settings at all.
Of even greater concern is the potential for IoT devices to be turned into eavesdropping mechanisms that can hear and see what is going on wherever they have been deployed. Online criminals could even access and control biometric data such as fingerprints, voices and facial images stored as digital data.
Long, deliberately unwieldy and confusing terms and conditions associated with the use of devices that users are practically forced to sign up, gives manufacturers the right to collect private data and control how its device is being used. Consumers largely remain oblivious to potential implications.
Lack of awareness will also result in significant security risks to individuals since IoT devices with limited security will easily connect to home Wi-Fi networks and other radio protocols such as Bluetooth, Zigbee and Z-Wave and use those networks to link to other devices such as computers, handheld appliances and mobile phones.
Industrial IoT Security
According to the 2018 SANS Industrial IoT Security Survey Report, most organisations globally are looking at a 10 to 25 per cent growth in the number of their connected devices. This will lead to the systems that are connected to IIoT devices to double in size every three to seven years.
Consequently, enterprises see network complexity as the single biggest reason for IoT security threats. Data, firmware, embedded systems and general endpoints are identified as the most vulnerable parts of IoT systems. Systems are scattered across numerous sites hosting autonomous end-points, which make configurations difficult to manage. The SANS poll also discovered that complex systems will open a responsibility issue. IoT professionals define IIoT endpoints differently and this in turn will become the basis for confusion surrounding responsibility for IIoT security.
In IIoT, the security issue is not in the software and hardware security features. According to Tosibox, the pioneering IoT company founded to make security easy, the only way to overcome the security threats due to complexity is to minimize the amount of manual configuration work. Its solutions are unique due to highly simplified and automated network and device configuration. This minimizes manual work, and thereby reduces the likelihood of human errors.
In IoT, whether consumer or industrial, humans are the biggest and hardest security problem to fix. End users often lack adequate tech skills, or do not care about the simplest security measures such as changing the default password. Sometimes it is product managers of device manufacturers who decide to trade security for faster time to market and higher bottom line. Sometimes it is IT managers or experts who get blown away by the gigantic complexity that this exponentially growing IoT system causes.
Kimmo Aura is the Program Director at Business Finland where he heads the Connectivity from Finland program, which helps Finnish Telecom and IoT businesses accelerate international growth. Kimmo has 25 years of experience in developing international consulting businesses in Telecommunications, fiber optics, machinery, mining and management consulting. According to Kimmo, the key to success in international business growth is listening to the customers, understanding their concerns, and streamlining your own organization to fulfil the customers’ needs.