In a series of Internet of Things (IoT) future forecasts, we look at what can be expected in the coming years regarding the IoT from various perspectives and angles. The reason: the Internet of Things (IoT) will be a key component of most digital transformation efforts for all the obvious connected reasons.
Increasing standardization, specification, reference architectures, and best practice guidelines are emerging to support security in the IoT, facilitating secure development and deployment for OEMs and DevOps (Michela Menting, January 2018)
In this piece an overview of IoT security trends, evolutions and forecasts, spiced with analyst data and additional insights.
Some predictions are easy to make. If you followed how 2016 was the year of the first really massive cyberattacks using IoT-enabled devices and in 2017 the detection of new cyberthreats in the IoT space hit the news, it’s pretty easy to predict that this will not be different in 2018 and beyond although ample initiatives have been taken in the scope of secure data exchanges, regulations, standardization and an increasing focus on security overall.
The IoT security challenges at hand for the industry
The exact impact of those security woes are another question with several answers. They certainly will shape industry evolutions but will they also slow down the market?
It’s probably a no-brainer that we can expect more security breaches and that the industry will come up with more security initiatives in regards with several aspects of the Internet of Things as it has already started to do.
There are ample challenges which certainly also apply in the context of Industrial IoT and Industry 4.0 where security is an inherent part of the vision and architecture. We mentioned the challenges and (re)design of cybersecurity in Industrial IoT and Industry 4.0 in a separate article.
Needless to say that the more connected critical infrastructure becomes, the more interesting it gets for the bad guys, certainly in times of state-sponsored attacks. While security gets more ‘intelligent’, leveraging artificial intelligence, more integrated/embedded (“bye bye perimeter or “hello, new ubiquitous perimeter”) and holistic, including new technologies that promise to bring a more secure IoT (think blockchain and IoT, for example), the human dimension and common sense remain important. Security by design is not commonplace at all and in November 2017 once again it became clear how much security challenges there are on the plant floor, starting from SCADA systems and HMI software, with the human dimension as the weakest link.
As everything in industrial markets, from building management to smart manufacturing and plenty of critical environments (energy grids, you name it) moves IP and IoT, security in Industrial IoT is one to carefully watch as these industries are still the major spenders regarding IoT. The rise of edge computing in this regard is seen as a way towards more secured environments, as are the latest types of hardware and software in the IoT stack.
The IoT personal data protection security challenges at hand
Additional challenges with regards to IoT security concern regulations regarding personal data protection. The most impactful one in 2018 no doubt is the GDPR, which will be followed by the ePrivacy Regulation later.
There is a nascent chip-to-cloud, end-to-end security management market specifically targeted for IoT high-growth markets: industrial, connected car, utilities, city, retail, supply chain, and wearables (ABI Research, January 2018)
Obviously not all IoT applications and projects have personal data and identifiers as an objective, let alone primary objective on the data collection and processing front. But many do and some even concern special categories of personal data under privacy laws such as the GDPR with healthcare and scientific research being two examples (e.g. when leveraging health-related data from wearables). Also in marketing and retail, where IoT gets its place, personal data are omnipresent and, while healthcare and research can count on some special rules, the latter two certainly can’t, at least not in the positive sense for organizations considering IoT projects.
If you intend to start an IoT application or project with personal data processing of EU data subjects involved do learn all about data subject rights, the legal grounds for lawful processing, the probable requirement of a DPIA (Data Protection Impact Assessment) and how IoT fits in the GDPR and ePrivacy scope.
What this has to do with IoT security? Well, everything really as these new laws (and the GDPR isn’t alone) look at the risk perspective, don’t mess around with compliance (and fines, with a special focus on ‘new technologies’) and you don’t want to be in the situation of a personal data breach notification duty as a company.
We expect far more regulations regarding IoT as such too, also on the level of IoT device manufacturers with thanks to the botnets and, as said it’s not just about the EU and GDPR alone as you can read next.
IoT security findings from analysts for the near and not so near future
ABI Research: IoT security technology on the rise
According to a January 2018 press release from ABI Research, IoT security technology maturity is on the rise in industrial settings, transport and automotive, government and public services.
Risk assessments (such as the previously mentioned DPIA) become more common for operational technologies, and security imperatives increasingly part of C-level discussions, ABI Research states.
There is a nascent chip-to-cloud, end-to-end security management market specifically targeted for IoT high-growth markets: industrial, connected car, utilities, city, retail, supply chain, and wearables.
And according to Research Director Michela Menting “In the European Union and the U.S., these market movements are supported by increasing regulatory and policy discussion over IoT security. Further, increasing standardization, specification, reference architectures, and best practice guidelines are emerging to support security in the IoT, facilitating secure development and deployment for OEMs and DevOps.”
So, regulatory and policy discussions are indeed far from a GDPR and ePrivacy Regulation EU matter alone.
More analysts on IoT security in 2018 and beyond
For 2018 Forrester sees more damaging attacks according to an overview from Network World. IoT integrations in the public cloud would also add to increasing security concerns. Regarding the nature of the attacks, those trying to cause damage and chaos for political, military and social reasons are expected to be preceded by money-oriented ones. Also IoT attacks with ransomware appear to be explored.
As a reminder: for 2017 Forrester expected that more than 500,000 IoT devices would be compromised in 2017 and that the Internet of Things “represents a two-pronged threat in — potentially exposing businesses to security breaches and IoT devices themselves being turned into DDoS weapons.”
In its December 2017 update on IoT spending in 2018, IDC mentioned security in the scope of IoT hardware, IoT software and IoT services. While software spending, which is the smallest category for now and comprises application software, analytics software, IoT platforms (where security is increasingly tackled) and security software, it is the fastest growing one.
Earlier IDC forecasted that “by 2019, more than 75 percent of IoT device manufacturers will improve their security and privacy capabilities, making them more trustworthy partners for technology buyers.” (Source: IDC).
Many IoT device manufacturers don’t have cyber security on their radar yet.
Let’s hope that the other 25 percent already has top security capabilities (no comment) or goes out of business by then. You don’t mess with security.
Regarding IoT security, Gartner says that “new threats will emerge through 2021 as hackers find new ways to attack IoT devices and protocols, so long-lived things may need updatable hardware and software to adapt during their life span.” (Source: Gartner).
What about the impact of IoT security challenges in the consumer space?
When it boils down to the consumer electronics space of “connected devices” and the Consumer Internet of Things, we didn’t expect 2017 to be a big break-through year, among others for reasons we’ve explained in our consumer electronics 2017 outlook.
With trust and privacy already being issues the IoT security challenges are big here as well. More in a next Internet of Things future article in our series when we dig deeper in the expectations for this segment that is now starting to grow faster according to the mentioned IDC 2018 spending update.
A question that remains is what to do with all those existing “older” connected devices and the devices that are more recent but hard to patch.
Reuters tackled the issue on November 8, 2016, and the answer of an Internet security firm CEO on the security topic from a manufacturer perspective wasn’t exactly rosy. A quote “The harsh reality is that cyber security is not even on the radar of many manufacturers.”
More evolutions in IoT security
Below is a summary of some of our additional IoT security forecasts and recommendations.
- A shift of focus to and end-to-end security approach with embedded security by design.
- Reliance on partners and system integrators with clear SLAs for security and privacy.
- Choice for more secure connectivity solutions in critical applications will expand to less critical applications.
- Sooner involvement of security in the IoT project process.
- Data analysis closer to the source (IoT edge computing) and a mix with reliance on highly secured cloud environments (with security in the cloud and hybrid solutions).
- Regulations and security standards will be deployed.
- An increasing use of artificial intelligence for real-time security monitoring, depending on the use case.
- Appearance of blockchain (distributed ledger technology) in IoT security and an ongoing integration of IoT and blockchain.
- Growing focus on the endpoints and move towards a security perimeter of everything: the security perimeter hasn’t faded, it’s ubiquitous and in the distributed reality of IoT endpoints are key.
- Visibility becomes the central CISO focus.
- To address the lack of IoT device visibility organizations will invest more in IoT device visibility solutions, enabling device discovery, onboarding and monitoring (which is a challenge).
Top picture: purchased on Shutterstock. Copyright: EtiAmmosAll other pictures: see mentioned owners in image description and links.