The importance of secure IoT deployment, CIOSEA News, ETCIO SEA

There is little doubt that The Internet of Things (IoT) has been playing a pivotal role in automation, digital optimisation and digital transformation across a spectrum of industries, business functions and in B2B and B2C application areas. Especially since the period of 2008-2009, during which the usage of commercial and consumer IoT finally drove the number of worldwide devices to nearly double of the world’s population: A whopping increase of 23 times from 2003 till 2010. The importance of IoT can be gauged from two significant researches in the early 2010s : the highlighting of IoT in the Gartner Hype Cycle of 2011, and IDC’s 2013 estimates of the IoT technology and services spending to generate global revenues $8.9 trillion by 2020, with an estimated installed base of approximately 212 billion “things” globally by the end of 2020.

Along with e-commerce, mobility, social media, Cloud, Artificial Intelligence and Machine Learning (AI/ ML), Robotic Process Automation (RPA), Advanced Analytics, and Blockchain. IoT has been transforming many consumer, industrial, government and defence applications. These use cases are across supply chain, operations, customer relationship management, quality control, logistics, inventory management, IT and HR business functions from smart manufacturing, smart cities and utilities, connected transportation, mining, oil and gas, agricultural and government applications on the B2B space, to smart healthcare, retail, finance, education, connected vehicles, hospitality, airlines, fitness, and consumer durables on the B2C side.

For all the benefits of best customer and supply chain experiences, operational excellence, optimised costs and others that consumer, commercial and industrial IoT bring about, CIOs, CISOs and other leadership teams have also been cognizant of the associated risks from these humongous potential attack surfaces, many of which are beyond the trusted organisational network security perimeter. With advances and evolution in the IoT layers of physical devices, edge computing, and cloud application layer, IoT deployments need to be secure from the perspective of all three layers.

What have been the drivers of Secure IoT Deployment in the pre-pandemic times?

Especially in the 2nd decade of the millennium, as workloads and systems shifted out of the Trusted Organisational Network, CISOs and CIOs realised the importance of cyber security in the world of IoT, cloud and mobility, especially while handling increasingly sophisticated hackers and insider threats on 1 hand, and managing the increasingly more stringent privacy and security guidelines especially related to sensitive data. It was evident that they would need to consider Information and Cyber Risks very critically along with financial, operational, economic, geo-political and other risks. Besides stiff fines and penalties for breaches and leaks, managing Cyber risk is fundamental to Organisational Reputation Management (ORM) which results in customer, employee and supply chain satisfaction indices and trust scores, ability to raise funds, Environmental, Social, and Governance (ESG ratings) and compliance adherence to critical guidelines such as NIST, ENISA, GDPR and others.

As per this research and survey on IoT by Gartner in 2016, 35% of interviewed IT leaders cited security as a top barrier to Internet of Things (IoT) success. A similar research by McKinsey highlighted the risks of cybersecurity attacks and lack of preparedness as key risks in IoT implementation especially on account of hacking, misuse and unauthorized leakage of sensitive information.

October 2016 saw the IoT Botnet fueled by the Mirai malware launch the largest ever DDoS attack on the service provider Dyn leading to huge outages on the Internet including Twitter, CNN, Netflix, Reddit. Computers infected with Mirai searched for vulnerable IoT devices on the Internet such as cameras and DVR players, and using default credentials to login, would then infect them as well. A year later, the worldwide WannaCry ransomware attack on the NHS affected computers as well as IoT devices including Operation Theatre equipment and MRI scanners, thus putting many lives at risk. This period also saw exposure of serious vulnerabilities in IoT devices in medical equipment including the Owlet Wi-Fi infant heart monitor and the St. Jude Medical’s implantable cardiac devices as well as the remote Jeep Hack over a cellular network.

The decade prior to the pandemic also saw heavy fines and penalties for breaches and customer data leakages such as those at Uber, Marriott, Equifax, Home Depot, Capital One, Morgan Stanley, Yahoo, Microsoft, British Airways and several others. On the other hand, from a governance perspective, there has been a rising importance of compliance to regulations and acts such as Federal Information Security Management Act of 2002, the Department of Defense Strategy for Operating in Cyberspace guidelines of 2011, NIST IT standards, the Homeland Security Act and the Cybersecurity National Security Action Plan (CNAP) of the United States, ENISA, the NIS Directive and the EU GDPR. Rising globalisation also led to dealing with different regulations, compliances and policies across various geographies.

It became clear that Cyber Risk went beyond the traditional protection of Information Technology Assets to now also account for Risk across IoT Devices and Personnel across the extended enterprise as well. CISOs, CIOs, Legal Counsels and other leaders had commenced looking beyond technical cyber security risk for reducing incidents and breaches to also plan and analyse impact of these adverse cyber events on business and stakeholders. The importance of this can be gauged from the fact that this research by Deloitte in 2017 estimated compliance costs to be a significant 10% of a typical banks’ overall operating costs.

What was the effect of the pandemic on IoT and Cyber Security?

The COVID-19 factors of travel curbs, lockdowns, social distancing and remote working saw an accelerated adoption of IoT along with other technologies such as cloud, 5G, Edge computing, Extended Reality, Artificial Intelligence and Machine Learning and Blockchain. Despite the initial chip shortages, focus on Autonomic systems, Smart Manufacturing, Connected Supply Chain, Smart Cities, connected vehicles, Remote Healthcare and Telemedicine were the principal factors behind the resurgence of IoT during the pandemic. It is estimated that 1/3rd of IoT use cases are in B2C and the rest in the industrial and B2B space. This research by IoT Analytics, predicts that the current number of connected IoT devices globally of over 12 billion will more than double to 27 billion by 2025.

Adoption of Internet of Behaviour (IoB), leveraging Artificial Intelligence with IoT, further rise of 5G and Edge Computing, Extended Reality, Digital Twins, Wearables, Internet of Medical Things (IoMT), Internet of Packaging (IoP), government IoT programmes and investments in IoT platforms and software layers are further accelerating IoT usage and application areas.

This 2015 research by McKinsey, which had been updated in 2021, stated that IoT could still unlock a value between USD $5.5 trillion to $12.6 trillion globally by 2030 despite the challenges of change management, cyber vulnerability, ability to attract talent and cost considerations .

The pandemic saw significant increase in the number of cyber-attacks : reaching almost 3 X in several countries covering Work From Home endpoints, IoT Devices, Video Conferencing services, and the Dark Web as mentioned in this research by Deloitte. From an IoT perspective, the reasons were larger attack surfaces, access to the humongous IoT points, unsupported and obsolete architecture, operating systems and firmware, and absence of standard IoT cybersecurity practices across its layers. This World Economic Forum Article highlights the significant IoT attacks during the early days of the pandemic such as the Mozi BotNet, the attacks on Israel’s water system, some US utilities, a Silicon Valley startup and other critical infrastructures. There was also a resurgence in WannaCry and other IoT attacks as well, besides other high-profile breaches, customer and supply chain data leakages. Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

Governments and Private Enterprises have also been in conjunction, addressing IoT Security concerns in this era of Zero Trust and Cyber Resilience. In 2020, The European Union Agency for Cybersecurity (ENISA) had published guidelines on security IoT supply chains and is now developing specific security measures for IoT operators and critical infrastructure industries. In the US, NIST Guidelines as well as the 2020 IoT Cyber Security Improvement Act provides guidelines and considerations for including cyber security in IoT deployments especially those used in critical infrastructure. For the consumer IoT ecosystem, the President’s May 2021 Executive Order on cybersecurity called for the piloting of a labelling programme for consumer IoT products that identifies how they meet cybersecurity criteria.

What is the Market Size for IoT Security?

The above-mentioned factors of growing IoT adoption along with 5G and Industrie 4.0, increase in breadth, volume and frequency of cyber-attacks and evolution of more stringent cyber security laws and guidelines have led to an immense growth in the IoT Security market. According to this report by MarketsandMarkets, the global IoT Security Market size is estimated to grow from USD 14.9 billion in 2021 to reach USD 40.3 billion by 2026, at a Compound Annual Growth Rate (CAGR) of over 22% during this forecast period.

What measures can be taken to ensure secure IoT deployment?

Parallel to the measures taken by Governments and Regulatory Agencies mentioned earlier, Private enterprises also have their part to play in ensuring cyber resilience in the IoT world, especially by crystallising IoT baseline security standards for consumer and industrial devices, shared security principles, driving basic security certifications, norms, and enforcing cooperation, transparency and conformance across supply chains and customers.

Organisations need to adopt the ethos of security by design itself. At the hardware layer end, strategies such as device credentialing, generating unique identities for IoT devices, clamping down on counterfeit chips and devices are playing a big role. Moreover, it is of paramount importance to have code signing covering digital signing of bootstrap, Operating system, firmware and applications ensuring authorized IoT Devices receive validated updates of softwares.

CISOs are also deploying strategies including changing default passwords, password protection, safeguarding against IoT device identity spoofing, using tokenization/ encryption for data at the edge, and enforcing secure protocols such as HTTPS, transport layer security (TLS), Secure File Transfer Protocol (SFTP), and DNS security extensions.

It is also important for IoT device manufacturers to transparently provide information to customers on how their data is used and shared, and furthermore suggest tools and best practices to avoid risky behaviour and switching off certain categories of data collection and sharing.

CIOs and CISOs are incorporating IoT devices with other assets, users and entities in embracing Cyber Resilience along with Zero Trust and use of Artificial Intelligence and Machine Learning powered tools for proactive threat hunting and remediation for external and internal threats. IoT devices, other assets, users and entities are now across on-premise, data centres and the cloud encompassing the extended enterprise. It is hence important to have decentralised risk and decision making, moving from Compliance and Security functions to Security Behaviour and Culture programs (SBCPs). Consolidation and convergence of cyber security solutions and of vendors along with Cybersecurity Mesh Architecture (CSMA) do help provide a proactive, uniform and integrated security framework and posture.

This article by Deloitte encompasses the importance of IoT security platform encompassing these 3 aspects:

• Incorporating Secure components to each IoT tier covering application security, Identity and Access Management (IAM), secure code scanning, and vulnerability management
• Having technology, processes and resources to regularly rest protection levels, identify network and physical vulnerabilities and known and unknown assets; and thus, proactively detect, identify and manage threats, risks and attacks.
• Having Resilience and Risk Management frameworks and strategies including detailed preparation, reviewing and fine-tuning Risk Management Appetite, and corresponding Cyber Insurance Cover and Strategies. This shall ensure process business continuity, minimising claims and damages, and maintaining organisational reputation across customer and supply chain, legal, branding and finance obligations. Leaders are imbibing Cyber Resilience Frameworks majorly based on Zero Trust Architecture such as The Cyber Resilience Review (CRR), FISMA, the National Institute of Standards and Technology (NIST) FIPS 199, 200 and especially the 800-160 Volume 2 publications.

This World Economic Forum paper summarises the steps taken across the global IoT ecosystem across more than 100 stakeholders covering manufacturers, suppliers, technology companies, government cybersecurity organisations, industry pundits and civil society and activists to draw up standard guidelines across IoT security for consumer safety. Discouraging universal default passwords, ensuring updated software, secure communication and personal data and implementation of a vulnerability disclosure policy have been the key tenets.

These strategies and considerations of secure IoT deployment must also incorporate the extended enterprise viz. supply chain, business, IT, HR, security, finance, legal, customers and distribution channels. Culture and Communication are hence of paramount importance and in 2022, leadership teams are relying upon building awareness and accountability of risk and security within business, running mock drills or crisis games to simulate the response during a mock cyber crisis, as this article by Deloitte mentions.

Skilling is also extremely critical for the success of secure IoT deployment. As per this research by the World Economic Forum, 47% of surveyed companies have perceived shortcomings as far as their trained and skilled cyber security teams go. CHROs and CISOs/ CIOs are hence focusing on retention, upskilling and attracting the best talent.

In the days to come, intersection of IoT with Metaverse and Web 3.0 shall also have security considerations and need to be incorporated in the Zero Trust and Cyber Resilience and Risk strategies. In the medium term, convergence of IoT and Quantum Computing will also be of particular interest especially considering Quantum Computing’s ability to instantly decrypt or break Public Key Encryption thus posing big risks and threats.

In this uncertain world of immense competition, increasing hacker sophistication, declining customer loyalty, and ever-increasing regulatory compliances, organisations have no other choice than to expand their IoT deployments and Security is a super critical aspect of a successful IoT deployment.