IIoT security: Why devices are the weakest link in the IoT stack
The most significant challenge for the internet of things (IoT) is device security. Without question, devices represent the weakest link in the IoT technology stack, the industry reckons.
“This is because devices are constrained in battery and computing power,” notes Carlos Carazo, director of IoT technology at Telefónica. “Not all security measures can be deployed.” In industrial terms, the great promise of IoT to usher in a fourth industrial revolution, is in the balance, and device makers are in the dock, charged with chasing quick bucks, instead of longer-term economic gain.
Ill-conceived gadgetry is lighting up across the global internet. “Every one of these devices is like a time bomb for enterprises,” says Lance Holloway, director of vertical security at Stanley Security.
Cost is the common denominator. Michela Menting, research director in digital security at ABI Research, says the idea security concerns come second to commercial considerations is hardly novel among technology providers. IoT device makers and application developers are “leaping ahead with little consideration” for data protection, she says. Doesn’t the risk of attack justify the cost of security?
“Unfortunately, risks are difficult to quantify in the IT landscape, and even more so at the IoT level. The ramifications are sometimes difficult to see in the complex het-nets that form the fabric of the IoT. While technicians and engineers may well understand the risks, these are always difficult to translate at c-level, not least because they need to be rendered into financially defined risks,” says Menting.
Market forces are irresistible in this new tech entanglement. Prospectors are conspicuous as the gold rush quickens, but they are also hasty, and either ignorant or else irresponsible. “The real risk is in the ignorance of new product creators,” comments David Dufour, vice president of engineering and cybersecurity, a Webroot. “They’re not even tech companies a lot of the time. They design and build these products without taking security into consideration.”
The forecast is not good. IHS Markit reckons security will not be embedded in new IoT sensors to any great extent, with the number of hardware-based security co-processors utterly dwarfed by the total devices in play, by as much as 35:1, through to 2010.
Enterprises, more security conscious, will be responsible for putting such security measures in place. “In the consumer market, no one wants to pay for security – and yet everyone complains when issues arise. Without regulation, it’s hard to enforce. It’s very different for enterprises. They will pay for it,” comments Stéphane Quetglas, enterprise IoT marketing director at Gemalto.
Warren Westrup, director of connection solutions at Verizon, compares the concept of enterprise security to vehicle rentals. “They always offer you an extra level of insurance, and businesses are more inclined to pay it,” he explains. “Those same types of discussions need to happen at the enterprise level to secure these devices.”
For a deeper dive into this topic, click here to register for the upcoming webinar titled “Industrial IoT security–The pitfalls and practicalities of securing manufacturing and supply chain IoT systems.”