A broad and vast network of devices connected to the internet is the vision of the Internet of Things (IoT). In this vision, the IoT connects nearly every aspect of life—whether that’s cardiac rhythm monitoring in the home for greater health support, traffic management to alleviate congestion and air quality monitoring and decrease air pollution, sensors that track movement along the supply chain for efficiency, condition monitoring in agriculture for sustainability and optimization, predictive maintenance and enhanced productivity to make manufacturing sleeker and scalable or much more.
The completeness of this vision is what I believe will take place from now to 2030 in what I like to call the “Decade of IoT,” and it offers many exciting opportunities, but it also presents a risk if cybersecurity is not fully addressed.
The Attack Surface In IoT
The IoT ecosystem is composed of many different elements, from the IoT device itself, which is the endpoint, through gateways and routers, along communication protocols, across platforms and APIs and on to the cloud, with data moving in both directions.
Securing each layer in the IoT stack can be difficult because there is a lot of fragmentation across those different elements. And security is not a one-touch task but an ongoing measure that requires constant monitoring and over-the-air updates to apply any needed security patches.
On a small scale, when an organization is leveraging IoT internally, such as a manufacturing company using IoT to monitor machine performance, an attack may have a limited impact. However, if an organization is using IoT solutions in customer-facing applications, such as a point-of-sale solution, then an attacker could access and expose sensitive customer data, which creates a ripple effect of negative consequences.
A Move Toward Standardization
We have reached a stage where IoT has gone through its proof-of-concept decade. Organizations have seen success in IoT, and ongoing developments are tackling some of the larger pain points in IoT—namely connectivity solutions that are tailored to the mobile and massive scale of IoT. We are poised to see rapid adoption across the industrial, healthcare and asset-management sectors—to go with early traction in fleet and telematics.
One of the largest areas of excitement in IoT is automation through machine learning and artificial intelligence, where we will begin placing trust in intelligent machines acting without human intervention. The need for top-level security is moving from a must to an absolute necessity.
The internet is not the Wild West, but the lack of standardization in security is still a concern, though we are moving in the right direction. Legislative policies in the United Kingdom, as well as California and Oregon, have laws that require reasonable device-level security. Federal IoT use, as mandated by law through the IoT Cybersecurity Act of 2020, requires the National Institute of Standards and Technology to create guidelines for the purchase and use of IoT devices.
Meanwhile, the GSMA—a global organization with the goal of unifying the mobile ecosystem—has developed the IoT SAFE initiative. This creates the ability to have device-level security by making the SIM card, which is necessary for most connected devices, the trusted source of security.
The importance of this cannot be understated. If devices coming off the factory floor are already built with security in place through an IoT SAFE SIM card, then organizations or end users have a tremendous head start in securing the entire technology stack.
Security By Design
Device-level security is an incredible stride, and it helps fortify the first building block in the technology stack. When devices arrive and are unpacked, the process of security by design has already begun. Security by design is an approach to building security into an application at the earliest design and build stages.
It is a strategic method that helps build the entire ecosystem’s protocols and standard operating procedures for IoT that follows the ecosystem throughout its entire lifecycle. As mentioned before, the management of security after deployment is crucial. You cannot “set it and forget it” when it comes to IoT, much like you would not be able to with any mission-critical IT infrastructure.
Failure to update software or patch detected vulnerabilities could lead to breaches, which can lead to dire consequences. While security by design is a slower path to market, it can be an incredibly comprehensive, fully armored approach to security that grows and scales with IoT deployments.
The Decade of IoT ahead has the potential to see innovation that supports initiatives for sustainability, quality of life and so much more. Security should grow and innovate alongside it, and there are strong indicators that it will. It is a collaborative effort, though, with stakeholder buy-in required, from device manufacturers to cloud service providers. Cutting through that fragmentation is going to be essential to see ultimate success.'