IoT security picks up momentum

The internet-of-things market is expected to reach $1.6 trillion by 2025, but a lack of security standardization will threaten the development of IoT services, a report states.

“The fervent expansion of IoT connectivity and subsequent monetization strategies have revealed cavernous security concerns fueled by the lack of proper security standardization,” according to ABI Research’s “68 Technology Trends That Will Shape 2021.” Attacks on connected infrastructure, transportation and smart cities are becoming more frequent and sophisticated.

“The lack of security in IoT is not something new,” said Dimitrios Pavlakis, industry analyst at ABI Research. “IoT players usually focus on connectivity over security, and that makes sense [though] it might not seem as efficient from the point of view of a security analyst.”

To address security, IoT vendors try to apply traditional tools such as antivirus to IoT technologies, but that doesn’t work, he said. “Even standard IT-borne tools like firewalls or Intrusion Detection and Prevention Systems (IDPSs) need to be wholly re-worked and retrained with new [artificial intelligence] models,” the report states.

Through vulnerable IoT, botnets and zombies can take out not only one system, but entire markets. For instance, in 2016 the Mirai botnet attack on more than half a million unsecured IoT devices around the world flooded DNS infrastructure with traffic, making many websites temporarily inaccessible.

“Having insecure devices out there in the wild, that means these devices can also be leveraged by cyberattackers to launch truly IoT-based cyberattacks,” Pavlakis said. “This will be greatly exacerbated when 5G finally arrives because there’s going to be an unprecedented data amount traveling back and forth between the connected devices and the different platforms and services.”

Vulnerabilities in IoT devices doubled between 2013 and 2019, a study by Independent Security Evaluators found. Another study by F-Secure found that the number of attacks between January and June 2019 was 12 times higher than the same period in 2018. The largest share of attack traffic -- 760 million events – targeted the Telnet protocol that IoT devices use.

Another challenge is the fast-changing nature of the technology itself. “You cannot have a standard on [current] technologies … because in just a few quarters, that technology will change radically,” Pavlakis said.

The solution, he said, is to use a ROI-driven approach to secure the IoT markets one by one and to add TCP/IP to IoT communication protocols or “thing” identity management and gateway-level protection for lower power computing devices. That’s where standards and regulations will help. The International Organization for Standardization and the National Institute of Standards and Technology (NIST) have already offered frameworks, and Congress passed in December 2020 the IoT Cybersecurity Improvement Act.

The act, which Pavlakis called a “key milestone” toward securing IoT, establishes minimum security requirements for federal procurements of connected devices. It also requires NIST to publish standards and guidelines on the use and management of IoT devices. He said he expects the requirements to spill into state and local government rules and into private-sector practices.

In fact, California in 2018 became the first state to pass a law that took effect Jan. 1, 2020, requiring that all IoT devices sold in the state have “reasonable cybersecurity measures.”

“IoT players even now sometimes need to be convinced of the value of cybersecurity,” Pavlakis said. “IoT [contractors] need to know that if they don’t secure certain assets, if they don’t take any steps, they will lose money,” he said.  Governments should not do business with vendors that “seem to be lacking something in their approach,” he added.

According to an August 2020 Government Accountability Office report on IoT, 56 of the 90 agencies that responded to a survey said they use IoT technologies, although that will likely increase because many agencies said they plan to begin or expand their use of IoT. Most agencies that currently use IoT -- 50 -- reported acquiring and using readily-available commercial IoT technologies.

But the biggest challenge respondents said they have with IoT is cybersecurity, GAO found. “For example, the Transportation Security Administration’s officials told us they could not ensure the security and privacy of passenger information and subsequently took its network-connected security equipment offline until they developed a solution,” the report stated.

The IoT cybersecurity act is a major mark of progress, Pavlakis said, adding that although standardization and a full security framework for IoT are daunting, they’re not impossible.

“We are moving in the right direction,” he said.