You don’t have to wait long for predictions about the massive growth of the IoT. As at the end of 2017, Gartner analysts predicted that we already have around 8.4 billion IOT devices worldwide. This is an increase of 31% compared to the 2016 figures. In 2020, it should be around 20.4 billion IoT devices globally.
That’s not surprising. Because in addition to the ever-growing number of products that are equipped with ever-widening skills to network, there are a variety of new associations, technology partnerships, standards committees and industry initiatives. Closed and established with the goal of enabling companies to truly benefit from the competitive advantages of the IoT.
IoT data breaches will not only continue to increase, but the consequences will be more severe than before.
As with any emerging and rapidly advancing technology era, such development rarely takes place without challenges. And in the case of IOT, safety is one of those challenges. In core, three trends will accompany us in 2018.
In distinction to the previously discovered weaknesses, which were directed in particular against brands and models in the automotive industry, we were confronted with weaknesses in 2017 within the Controller Area Network (CAN) bus protocols faced. A bus protocol that is used not only in the vast majority of vehicles but is widely used in industrial production, health care is another example.
The vulnerability was discovered by U.S. Pat. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Under certain conditions, attackers were able to disable the onboard security systems. To make it even more complicated, it is not a vulnerability that could be fixed by a patch. That’s because it’s an inherent weakness of the protocol design itself.
But in 2017 IoT security was another innovation. For the first time, an implantable medical device was recalled due to IT security issues. To this end, the US Food and Drug Administration responded in a gigantic recall campaign to over 465,000 patients who had been given a particular networked pacemaker. The FDA asked the patients to visit their doctor and get a firmware update of the concerned pacemaker. The device has a vulnerability that could potentially be exploited for attacks. Hackers, for example, would be able to influence the tempo of the signal generator or prematurely switch to energy-saving mode. Unlike the CAN bus protocol, this vulnerability comes with a patch. Patients must consult their doctor personally, but surgery is not necessary. Part of the update is to limit the number of wireless commands that the device can receive while preventing the transmission of unencrypted data. With that being said, we are obviously well on our way to an age when doctors are patch managers as well. It is a disturbing and irreversible trend that vulnerabilities in protocols and devices are increasingly likely to endanger human lives when these protocols and devices are used in an environment for which they were not initially designed.
More security awareness, yes, but secure implementation takes time
It is expected that IoT device manufacturers, especially end-user devices, will continue to bring in market devices that are poorly or not fully secured. However, the safety awareness of consumers is growing. Although not strong enough to change the buying behavior. Cool features and an affordable price still make the difference. For the first time, Amazon Echo and Google Home are high on the wishlist of technology-savvy consumers. On the other hand, there is a small but growing group of consumers who have major concerns about the safety of these products. The first major waves of attack, such as the Mirai botnet, have received the attention of security experts. For the average consumer, the scope of this type of attack has not yet become apparent. Nevertheless, the pressure on manufacturers is growing and with it the demand for better security and data protection measures.
Building security into the equipment from the start will be more difficult and time-consuming than expected. This applies equally to IoT devices intended for end users as well as those used in companies. An example: encryption. One has the ability to encrypt data that an IoT device collects both while they are on the device and when that data is sent to another device or aggregated and analyzed in the cloud. At first glance, this looks like a suitable and straightforward approach. As far as encryption is concerned, there are many good recommendations as to which algorithms are suitable. In addition, there are several OpenSource encryption solutions. So far so good. It is much more difficult to protect and manage the associated keys. Insufficient key management invalidates the entire encryption process. A badly managed key can make the encrypted data unusable. For example, if the key used to encrypt the data in question is not available within an authentication process. The sheer variety of devices in the IoT is compounding exponentially the challenges of encryption and key management. To date, only few have the necessary expertise and suitable technologies to deal with this.
The consolidation has begun.
At the moment, analytics and visualization tools are particularly promising for companies and in the context of IIoT, the industrial Internet of Things. These tools attempt to analyze the vast amounts of data that make sense and produce results that help in day-to-day business. Especially in 2017, providers and users of IoT technologies had to put up with more questions about what they think about the different aspects of data protection. All in all, it makes little sense to collect, analyze, or even worse, analyze data based on this analysis if you ultimately can not trust the data. In order to be able to trust them, one must be able to authenticate origin and source. This begins with verifying the device identity (and whether that device uses legitimate validated software from a trusted source), protecting the collected data from the beginning and, of course, the entire communication and transmission path. That these questions are asked in terms of security is one of the sign of consolidation in the IoT. Manufactures have left the phase of prototypes and feasibility studies, moving in the production phase with real users who are increasingly asking critical questions.
And consolidation will continue to accelerate. Specifically, the market for enterprise / cloud IoT platforms is unhealthily bloated with an unsustainable number of products. It’s safe to assume that just about every developer would be happy to shorten the list of available products for IoT platforms, preferring to incorporate better artificial intelligence into the remaining ones. Add to this a healthy, or perhaps rather unhealthy, number of safety standards and associations that wants to create a solid safety basis. A variety of initiatives seem to go in the same direction, in fact they often have different goals. Governments and legislators are also in the process of finding ways to create the necessary security conditions better than before.
Consolidation and standardization will help to better integrate IoT devices into industrial multi-core environments. And these efforts will ensure that basic security techniques are easier to implement. In particular, those that provide sufficient confidence in an IoT-based environment.
The IoT is a fascinating, fast-growing, and emerging field that will increasingly become the backbone of digital transformation. And it promises them not inconsiderable competitive advantages, which understand how to use it within their entrepreneurial visions, goals and implementation.
Requirements include a strong trust anchor, efficient implementation of the necessary IT security measures, risk assessments in an IoT ecosystem, and meaningful results from IoT projects. The year 2018 will bring us some decisive progress here.