IT security is yesterday's challenge
Paul Brucciani FCIIS
Cyber Security Marketing | Sales Enablement | Consulting | Fellow of the Chartered Institute of Information Security
The elephant in the room
For two decades, we have been so focused on improving IT security defences that we have overlooked a large and going gap in our defences through which cyber attackers can walk.
The graph below illustrates the problem.
Why IoT matters
Industrial automation, wearables, precision agriculture, smart grids, and smart cities are driving the explosive growth of the "Internet of Things" (IoT) device market. IoT technology enhances efficiency, safety, and convenience in our daily lives.
According to market research company IDC , IoT spending surpassed an estimated $1 trillion in 2023. The total installed base of IoT devices worldwide is projected to double in size from 14 billion in 2021 to 31 billion in 2025.
Secure IoT is crucial to the Fourth Industrial Revolution.
Why IoT has a security problem
According to industry analyst firm Gartner , worldwide end-user spending on security and risk management is projected to total $215 billion in 2024.
You would expect a good chunk of that to be spent on security IoT devices (eg printers, wearables, remotely controlled home appliances), but it is not.
Wild West regulation
There are no widely held IoT security standards to which manufactures can adhere and limited tools or guidance to enable developers. Few IoT products are sufficiently secure to withstand even a semi-determined attack. At the commodity end of the IoT device market, margins are small and innovation has been slow.
Despite $800 billion being spent on IoT technology worldwide, in 2023, only $6 billion was spent on IoT security.
The public increasingly cares about personal data security
The public expects the IoT devices they use to be safe.
Regulators worldwide are baring their teeth, implementing carrot-and-stick inducements to device manufacturers to improve cyber security capability and fining companies for data security transgressions.
In the EU since 2018, 544 fines totalling €635 million have been issued to organisations either having insufficient technical or organisational measures, or for failing to fulfil their information security obligations.
Attacks on IoT devices are real
Cyber attacks on IoT devices are more frequent and the disruption they cause, more severe.
In October 2023, an unidentified attacker effectively bricked more than 600,000 routers from a single internet service provider through a malicious firmware update.
As reported by Alex Scroxton of ComputerWeekly.com , the China-backed advanced persistent threat (APT) actor tracked as APT40 has been busy evolving its playbook and has recently been observed actively targeting new victims by exploiting vulnerabilities in small office and home office (SoHo) networking devices as a staging post for command and control (C2) activity during their attacks.
Recommended by LinkedIn
The solution
Minimise and manage your attack surface
Until IoT device manufacturers can offer secure devices (and buyers are willing to buy them), users should minimise their attack surface: internet-connected devices that are visible to attackers. Cyber threat exposure management (CTEM) is a new cyber security approach into which companies like XM Cyber , Tenable , Qualys and Forescout Technologies Inc. have something to offer. THINGSRECON provides the best explanation of the CTEM approach.
Use secure IoT devices
At the commodity end of the IoT market, these are few and far between although semiconductor component manufacturers like STMicroelectronics Italia , Nordic Semiconductor and NXP Semiconductors that supply the makers of IoT devices are looking at embedding software development kit that enable security to be embedded in the firmware of IoT devices.
The advantage this brings is that it is low-cost and can be deployed "at the flick of a switch". Companies like qomodo are developing cyber threat exposure management capability to be embedded in the firmware of the IoT devices.
Better IoT security is on the way...
Lessons from the Maginot Line
The Maginot Line is a line of concrete fortifications, obstacles and weapon installations built by France in the 1930s to deter invasion by Nazi Germany and force them to move around the fortifications. The line has since become a metaphor for expensive efforts that offer a false sense of security, although this is a unfair, it diverted the attack even if it didn't deter it.
Although deterrence is the foundation of military doctrine, its role in cyber security is underappreciated.
Organisations that manage their security across their entire attack surface and actively deter attackers, and IoT semiconductor and device manufacturers that respond soonest with affordable practical IoT security solutions, will be best placed to manage cyber risk and achieve their business goals.
Sources
Program Manager and Cybersecurity Engineer | U.S. Navy Veteran
5moIf IoT devices are to become more secure, it will most likely have to be done from the manufacturer. Most people do not know security best practices or don't want to spend the time to secure home devices.
Senior Security Program Manager | Leading Cybersecurity Initiatives | Driving Strategic Security Solutions| Cybersecurity Excellence | Cloud Security
5moGreat analogy! The security of IoT devices is indeed a critical issue that often gets overlooked. Strengthening IoT security is essential to protect our data and privacy. Paul Brucciani FCIIS
Group CISO at Pepper Financial Services Group
5moI'm reminded of an experience I had working in smart meter security - one that shows sometimes different perspectives can explain why certain things are done certain ways When we met some of the 'smart' gas meter vendors - who ultimately were gas engineers, not programmers - they explained they had made a single monolith application to control each of all their future meters. They'd disable bits of the codebase depending on what features were needed for each market... To use cyber folk this initially seemed to be a catastrophic error, something we'd never do, security 101, etc However, when asked for their reasoning they explained that in physical engineering having single, predictable parts was a huge bonus - easy to understand and maintain/replace, for example. Their brains had been wired/trained for a completely different objective So, not the right approach for that particular problem, but a good one (in the right circumstances) nonetheless
Executive Interim Manager in Cyber Security and Digital Transformation - Enabling clients to embrace opportunities with confidence that their risk is well managed
5moAn interesting article Paul. Like everything there is probably not a one-size-fits-all solution. I'd want the IoT that is controlling my front door lock (I don't have one by the way 😁) to be highly secure by design and in operation. But I treat the ones controlling my table lamps as inherently insecure and segregate them onto the 'garbage' VLAN that can't get to anything.