With a greater degree of control and more integration than ever before, a new and unprecedented set of threats are arising, endangering our networks, our databases, and even our critical infrastructure. These threats are ripe for exploitation by hackers for financial gain, media attention, or to further political causes.
More worrying still is that the alarming pace of development of early IoT devices has led manufacturers and service providers to act rashly, creating gadgets that are connected to the internet and very often handle personal data without adequate security standards and safeguards. IoT environments today rely on little to no protection against cyberattacks, often lacking basic security measures like proper encryption and authentication. It is unsurprising, then, that a recent study by HP revealed that 70% of Internet of Things devices are vulnerable to attack.
The biggest challenge for cybersecurity in 2017 and beyond isn’t the rise of ransomware or state-sponsored cyberattacks, but the scale of IoT and the speed at which this shiny new ecosystem has grown. By the end of 2016, an estimated 6.4 billion devices were connected to the internet, a 30% increase from the year before. According to projections made by McKinsey, this number will grow to between 20 to 30 billion by 2020. As threats spread more rapidly and impact an ever-increasing number of devices, the consequences of insecurity are amplified.
Still, recent developments have provided enough incentives for companies and regulators to bring IoT security into the limelight. By far the best example was the October 21 attack on Dyn, a domain name service provider, that disrupted access to high-profile sites such as Twitter, Spotify and The New York Times. The distributed denial of service attack (DDoS), carried out by unidentified hackers, was the largest of its kind. The hackers took control of tens of millions of vulnerable IoT devices using malicious software called Mirai. This created a massive botnet, or a remotely-controlled army of infected computers, that was able to crash Dyn’s DNS servers — one of the pieces of key critical infrastructure that keeps the internet running today. The sheer scope of this attack made it much harder to defend against than previous DDoS attacks. Still optimistic? Well, botnet access is even being put up for sale on the Dark Web.
The biggest challenge for cybersecurity in 2017 and beyond isn’t the rise of ransomware or state-sponsored cyberattacks, but the scale of IoT and the speed at which this shiny new ecosystem has grown
Another difficulty in defending against attacks on IoT devices comes with the type of devices that are being hacked into. There might not be that much that a malicious hacker can do with a smart kettle, but IoT devices are not confined to the home. Last summer, for instance, security researchers took control of the steering and transmission of a Jeep Cherokee traveling 70 miles per hour on the highway. Hackers can now have access to the personal data of smart watches, baby monitors, and pacemakers. Hence, there is an urgent need to improve IoT security.
Yet despite this urgent necessity, there is still a patent lack of unified global guidelines for such security. Regulating the industry is made even harder by the fact that companies connecting devices to the internet do not fit into any one category, but stretch from smart TV makers to medical device manufacturers.
Instead, security firms and regulatory agencies are being forced to play catch-up and work to minimize dangers retroactively. If not adequately addressed, security and privacy issues can become hurdles to IoT adoption. But with so many gaps to fill, a huge opportunity is presented to cybersecurity companies and manufacturers to act off their own backs to increase trust in their devices. Business-to-business spending on IoT solutions will reach an astonishing $267 billion by 2020, according to BI Intelligence, with much of it directed to cybersecurity.
And the cybersecurity industry is slowly but surely turning its focus to IoT. At this year’s Consumer Electronic Show (CES) in Las Vegas, security was a central topic, with some companies demonstrating their will to take action on emerging threats. This includes Symantec, which released a new Norton Core home security router, Cujo’s novel smart firewall, and Bullguard, with its new smart home-security solution, Dojo.
Almost invisibly to consumers, the Online Trust Alliance has released the second version IoT Trust Framework, which serves as a risk assessment guide for stakeholders in the IoT business. It sketches device design requirements and security processes, as well as sets out parameters for future IoT certification programs. The need to increase security will also likely lead vendors such as Amazon, Google and Samsung, to redouble their own efforts, which should stimulate other private sector players to apply security best practices in turn.
Governments have started to move, too. In November 2016, the White House and the US Department of Homeland Security published their guidelines on IoT-related cybersecurity. These are still voluntary recommendations, rather than formal regulations, but at least the inertia has been broken. Policy makers, nonetheless, should be careful to craft a framework that is not too restrictive, while also seeking out ways to reward security-conscious products with certifications and encourage manufacturers to voluntarily develop and adopt best practices.
The bottom line is that 2017 will mark an inflection point for cybersecurity and IoT. Innovation will only grow sustainably if the networks that manage the sensitive data handled by IoT devices are secure. Those who provide the best solutions in this critical field are set to profit handsomely.
