According to research firm Gartner, there were an estimated 6.4 billion IoT devices in 2016, and are forecasting over 20 billion IoT devices by 2020. Despite such impressive numbers, there has been a fundamental lack of basic security throughout the IoT industry.
For the past few years, experts have been sounding warnings about IoT security vulnerabilities, and while there have already been a few instances of IoT hacks, the flood gates finally opened with the October 2016 DDoS attack on major global websites, including Twitter, Netflix, Reddit and the UK government's sites. The attack was reportedly powered by the Mirai botnet made up of unsecure IoT devices.
So, what does all this mean for IoT in the upcoming year? Security pros across the board have weighed in on what to expect, and we’ve narrowed it down for you:
IoT vulnerabilities and attacks are looking like they will increase, as well as the need for standardization in various security measures. From its report, Predictions 2017: Security and Skills Will Temper Growth of IoT, Forrester says that the October DDoS attack was just “the tip of the iceberg when it comes to using connected devices to do harm.”
Chad Bacher, Senior VP of Product Strategy & Technology Alliances at Webroot, goes a step further and predicts that we will see the first ransomware for IoT devices. While IoT devices don’t generally store sensitive data and often don’t have the interfaces to deliver ransom notes, Bacher says that ransomware will keep proliferating and become even more destructive. With new data, new technologies, and new ways to profit from those at hand, criminals will find ways to reveal personal information and digital assets unless victims pay up.
Paloalto also says IoT ransomware should be expected, as the vulnerabilities already present in IoT devices will eventually give way to damage on a larger scale, for instance, shutting down a production line.
When people think of IoT, they see mobile devices, smart appliances for the home, and perhaps even smart cars—they don’t see large infrastructure systems, like power grids, avionics, or even railway systems. According to an interview with Matt Dircks, CEO of secure access software company Bomgar, there will be a fairly significant chance we’ll see a “major hack on power grids or on transportation systems like rail in 2017.”
The main issue here is that the public is so focused on their personal smart devices, they forget about these widespread systems and the unsecure technology that power them. Organizations must attempt to stay ahead of the curve to prevent these huge infrastructure dangers that stem from the very security threats plaguing mobile devices now.
Beyond threats, IoT technology will continue to develop and reach new heights in 2017. According to this article by Forbes, IoT software will be distributed “across edge devices, gateways, and cloud services,” which means that artificial intelligence (AI), as well as machine-learning cloud services, will increasingly be used to communicate and collect the data coming from IoT devices.
This is huge for industries like retail, with 30% of annual losses attributed to the inability to detect non-scanned items at checkout. The combination of IoT and AI can address issues like this at even greater calibers through the diligent gathering and processing of data. Darian Shirazi, CEO, Radius, reinforces this notion, explaining that successful data quality can help drive change and improve businesses.
However, with these advances comes the threat of new attack surfaces and maneuvers in hacking, malware, and exploitation. For IoT and subsequent technologies to succeed, the security behind it must be up to par.
IoT is still in its infancy, and the extent and impact of existing security flaws may not be obvious yet, says Paloalto, because of the “limited computing and connectivity capabilities” of the devices being used today. What’s more, in the implementation of IoT and cloud services, the exact ownership of the security of these devices gets muddied—is it the internal IT department, who may overlook a number of devices, or the IoT device manufacturer, who didn’t integrate security measures properly, or even the individual consumer?
Paloalto security pros argue organizations that develop, produce, and host these devices must make a concentrated effort to integrate security from their development, as well as the networks they operate in. Experts at SecurityIntelligence agree, imploring authorities to apply effective economic pressure to device manufacturers to force them to stop selling “security-blind” devices, i.e., devices that do not adhere to even the minimum security standards.
Traditionally, Public Key Infrastructure (PKI) has provided security solutions for enterprises—but as 2017 hits, it is going to become a big player in IoT as well, especially as devices and networks continue to evolve and expand alongside security concerns. Establishing identity, authentication, and encryption for data in transit between networks is a must, and PKI is a proven technology that delivers the solutions necessary to secure device communications.
The key to IoT success lies in organizations ensuring open communication between IT and leadership to understand potential new threats, as well as the challenges and constraints that exist in preventing those threats. If there is a standard knowledge of the weaknesses in current IoT security practices and the options available to prevent them, then users can better stay ahead of ever-emerging attacks.