A recent global study revealed that IoT will “soon be widespread”, as 85 percent of businesses plan to implement IoT by 2019, driven by a need for innovation and business efficiency.
The research questioned 3,100 IT and business decision makers across 20 countries, including the US, the UK, France, Germany, Italy and Spain to evaluate the current state of IoT and its impact across different industries. But the report, commissioned by WiFi systems vendor and Hewlett Packard Enterprise subsidiary Aruba, cautioned that connecting thousands of things to existing business networks has already resulted in security breaches for the majority of organisations.
The study found that 84 percent of organisations have experienced an IoT-related security breach. More than half of respondents declared that external attacks are a key barrier to embracing and adopting an IoT strategy. So where are we with IoT security standards and how can companies mitigate the risks now?
Chris Kozup, vice president of marketing at Aruba, says: “While IoT grows in deployment, scale and complexity, proper security methodologies to protect the network and devices, and more importantly, the data and insights they extract, must also keep pace. If businesses do not take immediate steps to gain visibility and profile the IoT activities within their offices, they run the risk of exposure to potentially malicious activities.”
2014: Hackers manage to commandeer hundreds of webcams and baby monitors
2015: Researchers remotely take over and crash a Cherokee jeep/Attack on Ukrainian power grid leaves 225,000 people without power
2016: Smart thermostats are hacked to host ransomware/Mirai botnet spreads DDoS attacks using compromised IoT devices, including CCTV cameras and printers
A major problem for those deploying IoT systems is that we are not there yet with universal security standards, making it difficult for organisations to ascertain whether the hardware, software and outside help they are bringing in are working to and maintaining effective security. As bodies including including the International Organisation for Standardisation (ISO), the International Electrotechnical Commission (IEC), the European Telecommunications Standards Institute (ETSI), and mobile industry association the GSMA, among others, work on the security standards needs of users, it is important that organisations show careful due diligence as part of their IoT roll-out plans.
Another major issue for security standards for IoT devices is the differences between the industries they are used in, so relying on a single set of standards is difficult. A connected coffee machine has different requirements than a pacemaker, which has different requirements than a car, and so on. As a result, some industries are moving ahead with their own initiatives. The Industrial Internet Consortium came up with its own framework for Industrial IoT security towards the end of 2016, and in the automotive industry, the Society of Automotive Engineers made some progress with the release of its Cybersecurity Guidebook for Cyber-Physical Vehicle Systems.
