Security has been an afterthought for many IoT applications, but the Internet of Things cannot simply be left to become the “Internet of Threats”, warns IBM.
Industry and utilities companies need to develop new strategies to mitigate and manage cyber risks, says the enterprise services giant, which has set new recommendations for securing the Industrial Internet of Things (IIoT).
IBM’s Institute for Business Value (IBV) has produced a new report, Internet of Threats: Securing the Internet of Things for Industrial and Utility Companies.
The document says that there is limited awareness of the need for IoT security. “An incomplete understanding of the risks posed by IoT deployments, coupled with a lack of a formal IoT security programme, contributes to the gap between IoT adoption and the capabilities in place to secure it,” it says.
IT-centric security frameworks and organisational structures are often not adequate to address the reliability and predictability needs of always-on IoT equipment.
While the Industrial Internet of Things represents a market that could add $14 trillion to the global economy by 2030, claims IBM, underlying concerns about the security and vulnerability of sensors and other devices “are justified”, says the company.
An IBM/IBV benchmarking study of 700 industrial/utilities IT and operational technology (OT) leaders found that devices and sensors, followed by IoT platforms, are the most vulnerable parts of connected deployments.
By 2020, 30 billion devices will be online, generating 600 zettabytes per year, says IBM. By 2035, more than 75 billion IoT devices will be connected.
When security plays catchup
Deploying IoT technologies at a faster pace than they are being secured can “open organisations to dangers greater than negative public sentiment”, warns IBM. “For industrial manufacturing, chemical, oil and gas, and utilities, security breaches can lead to large-spread contamination, environmental disasters, and even personal harm.”
Operational IT has become a growing target, accounting for 30 percent of all cyberattacks, continues the report.
In the Middle East, for example, 50 percent of cyberattacks are directed against the oil and gas industry, creating major impacts to safety, productivity, and efficiency.
Despite this, most industrial and utilities organisations are still in the early stages of adopting best practices and protective technologies to mitigate IoT security risks, says IBM. “Only a small percentage have fully implemented operational, technical and cognitive practices, or IoT-specific security technologies,” adds the report.
As a result, the IoT security capabilities of most organisations “are in their infancy”, with cybersecurity risks “still being evaluated and risk assessments performed on an ad hoc basis”.
Part of this is down to an ongoing shortage of cybersecurity skills, and the slow emergence of IoT security standards. But what can organisations actually do about the expanding threat landscape?
Actions to take
First, organisations must recognise that IoT security doesn’t exist in a vacuum, says the report. “Procedures must be followed, practices and technologies adopted, and measures taken to meet key performance indicators (KPIs).”
Next, organisations should implement practices that follow an operational excellence model of people, process, and technology to build IoT security capabilities.
“Increase employee visibility into IoT security operations, IT, and OT. Makers of next-generation connected devices and services may consider purchasing insurance against software malfunctions and any damage hackers might cause,” suggests the report.
“Know when and how to be proactive,” it continues. “To prepare an effective response to cyberattacks, carry out breach simulations, regular field and plant situational awareness, and engage in security operation centre monitoring.”
Technologies to deploy
The IBV benchmarking study gauges the use of a number of technology solutions for delivering IoT security. These include:-
• Encryption to protect against attacks that could compromise sensitive information and lead to the destruction of property and equipment, or create personal safety issues.
• Network security and device authentication, to secure deployments between IoT devices, edge equipment, and back-end systems and applications.
• Security analytics, to identify potential IoT attacks and intrusions that may have bypassed traditional security controls.
• Identity and access management, which can help enterprises and service providers manage and secure relationships between identities and IoT devices.
These are all excellent approaches, says IBM, but the overwhelming need is to look at IoT security as a strategic business issue, and not as a technology problem demanding point solutions.
Internet of Business says
So far, 2018 has seen a number of key trends dominating IoT announcements. Among these have been: the rise of driverless vehicles and drones; the coming of 5G; and the use of connected technologies in healthcare and retail. However, the strongest and most consistent message has been a warning about lax IoT security, both from a provider and user perspective.
IBM has a good track record in raising the alarm about these issues, having carried out some of the earliest security tests on devices such as connected cars, lightbulbs, and enterprise HVAC systems, all of which it found to have serious flaws – such as the brakes of a smart car that white-hat researchers were able to disable with a hacked MP3 file some years ago. It seems that little has changed since then.
As one of the biggest names in enterprise technology – which itself has refocused on cognitive services and connected systems – let’s hope that more organisations pay attention to both its warnings and its practical advice.
You can download IBM’s full report from Internet of Business here.
IoTBuild is coming to San Francisco, CA on March 27 & 28, 2018 – Sign up to learn all you need to know about building an IoT ecosystem.