The global market for the Internet of Things is expected to rise from $300 billion in 2021 to $650 billion in 2026, at a CAGR of 16 percent. One forecast estimates there will be more than 41 billion IoT devices by 2027. With all of these new devices online, there is a genuine concern about handling security. Does the use of private networks help or hinder Internet protection? What were some of the security learnings from the initial stages of IoT deployment, and what are the biggest challenges companies face when using a private network with IoT connections?
I had a conversation recently with Jimmy Jones, the Head of Security for ZARIOT. Jones has held many positions in the tech world, from engineering to sales to business development, at several companies such as WorldCom, PCI, Positive Technologies, Ribbon Communications, and NexTone. Here are a few key observations from our conversation.
Is IoT Secure?
There is a perception regarding IoT that it is not secure, and some of that, Jones argues, is due to the first-mover advantage. When a new product goes to market, it’s often built with fewer bells and whistles to see whether demand for the product exists. In the case of IoT sensors, early devices have lacked security by design.
IoT devices can also be built with off-the-shelf software and hardware, resulting in something that’s almost like an IoT Frankenstein’s monster. You’ve got all these different parts put together to create something, with software and hardware from various sources – any of which could be a security risk. Then it’s absorbed into your solution.
Is the Device the Only Challenge?
Every IoT ecosystem can basically be boiled down to three elements: the device, the network connectivity, and the application running those devices. The application could be as simple as a server gathering all the data or something more dynamic, pushing instructions back to the device. Those three elements are your IoT DNA, and the entire DNA must be understood to secure a network.
What is needed for true security is for all involved to work as an ecosystem. Collaboration and cooperation are the only way an enterprise can have a secure IoT solution. The device manufacturer, the connectivity provider, and the application developer need to work together because they all bring individual skill sets to the party, and it’s far too diverse for anybody to be able to say they can do this under one umbrella. There can be multiple device vendors and connectivity methods – Wi-Fi, Bluetooth, cellular; so the problem grows exponentially. Currently, the market for IoT is mostly M2M, machine-to-machine, but we’re going to get to the point where the device not only monitors but actively controls some physical devices.
What Can Never Happen?
An enterprise needs to decide what can never happen with its data and work towards that goal. It will be different for different organizations. A hospital will think that their patient’s medical records can never be breached, while a factory could prepare for their development plans to be safe.
An enterprise needs to get buy-in from the CEO, CTO, or whoever those decision-makers are. It can’t be in a silo, and all involved need to understand that IoT takes a long time actually to deploy and get the ROI. Everybody needs to be on the same page, that everyone is committed to security, and that the security is measurable.
Is 5G More Secure than LTE?
Some of the networking protocols used in the past were relatively obscure, so hackers and others intent on causing trouble weren’t able to abuse them as much as they could if they were well-known. That was security through obscurity.
5G brings together a lot of different technologies, some of which are very well known. When APIs, HTTPS, and other things like that are brought in, it’s difficult because people (e.g., hackers) know these inside out and have been working with them for years. They can use the same techniques against the networks they have been with, for example, financial institutions. Now we have complexity being the enemy of security.
Why Go Private?
Enterprises are opting to deploy private networks to get something they think they cannot get from a public network. It could be the ability to authenticate users, separate traffic, or create a situation where it’s very low latency with multi-access edge computing. It could be a massive security worry or a massive aversion to threats.
Are there Standards for IoT Security?
Cybersecurity standards exist, and those for IoT are being developed and implemented, which should significantly help the industry. The European Union Agency for Cybersecurity (ENISA) has an interconnected radio equipment initiative ratified late last year. That, and other standards, source the ETSI “European Standard on connected device security.” That’s good, as it shows a global market. Having these standards in place will help the IoT market significantly. With them, vendors will be able to confidently address regulations across the globe because they keep returning to the same standard.