There are key areas where the industry supporting the internet of things (IoT) needs to provide better security, according to Beecham Research.
The key areas where external or internal attacks may originate and need to be addressed by the fast-growing IoT industry are shown on Beecham’s IoT security threat map.
“The only reason we have not seen serious IoT breaches already is because the IoT has not yet been deployed in large-scale consumer or enterprise applications that make them attractive to attackers,” said Beecham Research technology director Jon Howes.
“Traditional machine-to-machine [M2M] applications are typically very focused, using specific edge devices, a single network and custom platform, making it relatively easy for security professionals to secure to the acceptable level,” he said.
However, Howes said IoT cuts across different sectors and embraces multiple devices and networks – from satellite to cellular – along with a growing number of IoT platforms and big data systems, which presents threats on many different levels and fronts.
“Wherever there is a new interface between devices, networks, platforms and users, there is the potential for a new weak link,” he said.
Without concerted action now, Howes believes the proliferation of different devices, networks, platforms and applications to support the IoT multiplies the vulnerabilities and greatly increases the potential for malicious attacks.
Read more about IoT and security
- As the number of IoT devices in the enterprise grows, so do the potential risks
- It is possible to mitigate theprivacy and security risks of the IoT without losing its benefits
- Research firm Gartner claims managing identities and access is critical to the success of the IoT
- As the IoT becomes more achievable, businesses need to prepare for the avalanche of data that is to come
Beecham’s IoT security threat map points to a number of specific internal and external threats inherent in the IoT ecosystem.
With sensors and devices, researchers believe the challenge is largely around identification, authentication and authorisation, to ensure a level of trust and avoid risks such as application hijacking.
There is also the threat of physical intrusion. “Using differential power analysis, it is well known that by listening to very small changes in power consumption when different calculations are performed in a chip, it is possible to work out an encryption key,” said Howes.
The threat map shows that the main threat at the network level comes at the interface between different types of network.
“With a mix of fixed, satellite, cellular and low-power wireless networks, as well as personal and body area networks, the challenge is to secure the transfer of multiple streams of data between selected networks without exposure of key secrets or equipment control,” said Howes.
According to Beecham, with more than 100 organisations now offering IoT platform systems, combined with the growth of big data and cloud-based technologies across multiple market sectors, this is where most attacks will be focused.
“The benefits of IoT by definition rely on lots of data with high levels of searchability and analysis, but this also means the data must exist in plain text, which presents multiple threats – not least from insider attacks from sysadmins and authorised users,” said Howes.
No co-ordinated approach to securing IoT
Beecham Research believes that while work is going on to secure different parts of the IoT, there is no co-ordinated approach.
“We talk about the need for a deep root of trust in security and this is even more critical in a complex, connected IoT ecosystem,” said Howes.
Data must be protected within the system, in transit or at rest, and significant evolution is required in the identification, authentication and authorisation of devices and people
Duke-Woolley, Beecham Research
“This starts at device level with sensors and microcontrollers, and continues through the networks, platforms and into the cloud. It’s a massive jigsaw and every piece has to deliver a level of trust to ensure end-to-end security and integrity.”
Beecham Research CEO Robin Duke-Woolley said security of the IoT is “significantly” more complex than existing M2M applications or traditional enterprise networks.
“Data must be protected within the system, in transit or at rest, and significant evolution is required in the identification, authentication and authorisation of devices and people,” he said.
Duke-Woolley added that there also needs to be recognition that some devices in the field will be compromised or simply fail.
“There needs to be an efficient method of secure remote remediation – yet another challenge if the IoT is to live up to expectations,” he said.
In September 2014, a Beecham Research report called on industry to act on security for the IoT before it is too late.
The report revealed there were insufficient security capabilities in the emerging IoT standards to manage the long lifecycles expected in many IoT devices, such as heating systems.
In February 2015, another Beecham report said security and data management for the IoT is a big value-add revenue opportunity for service providers.
The report predicted that revenues from device authentication, device management, data management, billing and security will exceed $3bn by 2020.
Out of these, Beecham said security and data management services are expected to generate around $1.8bn alone.