Nov 09, 2020
Network security is still the main reason hindering the rapid development of the Internet of Things, and concerns about security reduce the possibility of using Internet of Things devices.
In fact, research has found that if corporate customers’ concerns about network security risks are resolved, they will be willing to buy more IoT devices, at least 70% more on average than they would purchase when these issues were not resolved. In addition, 93% of executives surveyed said they would pay an average of 22% more for more secure equipment. Taken together, we estimate that improving the security of these devices could increase the IoT network security market by US$9 billion to US$11 billion. One of the reasons for this market demand may be the increasing pressure brought by new regulations such as the EU General Data Protection Regulation (GDPR), which impose strict requirements on companies with insufficient security (including data breaches). Data protection requirements and penalties.
This article presents the results of research and survey work, including discussions with CEOs, chief operating officers, chief information officers, chief information security officers, and other business and technical leaders in cybersecurity and Internet of Things technology. Obviously, even the most advanced cybersecurity company executives are most concerned about security issues.
IoT device suppliers are companies that manufacture IoT devices and companies that provide related solutions. They have a clear goal: to improve security to gain a competitive advantage and expand the market.
Customer's View on Cyber Security
Most executives (60%) surveyed said they are very concerned about the risks that IoT devices bring to their companies. This is not surprising, because IoT security breaches can cause damage to operations, revenue, and security. When improperly protected, IoT devices can allow access to corporate systems, leading to massive data leakage.
Virus-carrying devices may also be used to maliciously attack enterprises. In October 2016, the Mirai malware attack damaged thousands of sensors, cameras and other devices, created a huge botnet, and launched a distributed denial-of-service attack, destroying popular websites (including GitHub, Netflix, Twitter and Airbnb). In January 2018, Okiru (the Mirai variant) can invade the ARC processor widely used in billions of IoT products. As a result, IoT devices invaded by viruses can also engage in click fraud, causing advertisers to lose dozens of losses every year One hundred million U.S. dollars. Intruded devices can also be used to mine cryptocurrencies, such as Bitcoin and Monero.
When determining solutions to prevent these types of attacks, IoT equipment vendors can segment their target customers based on the maturity of network security capabilities. This subdivision helps to determine different methods based on typical needs, and reflects the status quo that the capabilities of enterprise customers are not static but are developing to a higher level. The study found that customers at the least developed end are more likely to seek simplified and integrated security solutions, while those with more advanced features are more willing to invest in the best or customized point solutions.
In various market segments, almost all executives said that IoT devices pose a moderate or significant risk to their organization. Compared with companies with weaker network security capabilities, in companies with higher network security maturity, executives will see more security risks.
Research also shows that executives in certain industries believe that the IoT risk in their industry is higher than in other industries. Executives in the durable goods, construction engineering, energy and utilities, financial services, and technology industries are most likely to express very worried ideas. These concerns reflect industry realities, not just the views of individual executives. For example, in the energy industry, oil and gas producers rely on tens of thousands of IoT sensors and complex production control devices on their oil wells and drilling platforms. Energy companies use data from these IoT devices, which can operate at an average speed of more than one terabyte (TB) per day to adjust their operations in real time while maintaining strict safety thresholds. Compromising integrity or disrupting data flow can cause catastrophic damage.
Nearly half of healthcare executives believe that the Internet of Things in their industry has major security risks. Hospitals and clinics increasingly rely on connected diagnostic monitoring and nursing service equipment from a variety of vendors who obtain components from third parties. Nuclear magnetic resonance, robotic-assisted surgical equipment, and drug delivery pumps are all extremely likely to be accessed without authorization. This will pose a clear threat to patient safety. In September 2017, the U.S. Industrial Control System Network Emergency Response Team discovered a loophole in the wireless syringe infusion pump and warned that if it is not paid attention to, it may pose a major threat to patients.
The use of the Internet of Things by manufacturers also brings new risks to the industrial environment. Large manufacturers may deploy thousands of IoT devices, from sensors to complex semi-autonomous robots. A virus-invaded sensor may cause inaccurate data, which prevents management from making critical operational decisions or creates inventory issues that severely affect the entire value chain. A greater risk may be found at the factory, because damaged robotic equipment may introduce subtle but dangerous activities or cause greater damage and injury to workers and other equipment.
Customer's solution to Internet of Things network security
Conversations with executives who manage security indicate that customers need solutions that are efficient, easy to integrate, and flexible to deploy. The company adopts a series of methods to meet its security needs based on its capabilities and the availability of market solutions provided by suppliers. Only about one-third of the Internet of Things network security solutions currently in use come from Internet of Things equipment suppliers, which indicates that the suppliers either do not provide comprehensive and high-quality solutions that meet the needs of consumers, or they do not perform well. Promotion plan.
Our research found that companies with the most advanced cybersecurity capabilities rely more on internally developed security solutions, not only because they may have more complex needs, but also more likely because they have the talent to develop their own solutions And ability. Companies with self-organized security functions have the greatest demand for security solutions among all the IoT users studied.
Suppliers fail to meet customer needs for cybersecurity
We have also studied how the company deploys security solutions layer by layer, and found ample opportunities for IoT equipment suppliers at each layer.
Our investigation found that the access interface layer has the highest level of protection, whether it is developed internally or provided by a manufacturer or a third party. Other layers are protected by more internal solutions, or in some cases no protection at all. Customer preference for internal solutions can be partially explained by considering the specific conditions of each security layer.
For example, data security solutions often require more computing and power resources than are currently available on basic IoT devices. MIT researchers have created a new chip that can use 1/400 of the power and 1/10 of the memory to encrypt IoT devices at 500 times the speed of the current chip. However, before this new technology is widely adopted, manufacturers need to continue to balance this requirement with the size, cost and power of IoT devices when designing solutions.
Hardware security solutions must address vulnerabilities in physical interfaces (such as USB or Ethernet ports), device operating systems, and firmware. However, few manufacturers fully test the hardware for known vulnerabilities before shipping, and most of the equipment is insufficiently exposed due to new vulnerabilities during continuous testing.
Finally, IT security operations must manage and monitor its IoT devices, combined with log data from the other five layers. Although most companies want to have a set of closely integrated tools and have a comprehensive understanding of the security status of their devices, few IoT device manufacturers have a good understanding of their customers' operations to provide such solutions. Nevertheless, they can still work with customers to identify trusted third parties as partners in the development of comprehensive security solutions.
In general, the shortcomings of these types of manufacturers may cause customers to develop their own solutions when considering various security layers to protect their IoT devices. Due to the lack of well-designed IoT network security products and services, customers are designing their own solutions, completely abandoning the use of solutions or implementing corresponding solutions until the supplier meets their own requirements.
How IoT equipment suppliers gain market share
IoT device vendors and ecosystem participants act quickly to improve the security of IoT devices, which can not only reap the rewards for their ability to obtain premium prices, but also help them expand the market. Some leaders in the IoT ecosystem are stepping up to address security challenges and seizing opportunities within them. Amazon has created an ecosystem of IoT solutions integrated with its cloud products. It recently obtained a license for an open source operating system called FreeRTOS, which makes it easier to develop, deploy, manage, and protect low-power IoT devices, and can help with IoT device management and data and network security. Libraries and tools to enhance it.
Similarly, Microsoft's Azure IoT Hub provides device management and security functions in the form of device configuration, authentication and secure connections. Another example is GE (a manufacturer of industrial IoT equipment), which regards cyber security as a competitive advantage and strategically strives to embed functions in all aspects of its IoT technology. GE acquired Wurldtech in 2014 and finally integrated Achilles security products with the Predix IoT management platform. From an operational perspective, GE assigns risk management and product safety responsibilities to full-time leaders throughout the organization, who ensure that cybersecurity is prioritized and implemented into its products, including IoT devices. These efforts represent important advancements, but they are not sufficient by themselves to solve the broader security issues faced by using the Internet of Things. All IoT equipment suppliers need to pay more attention to security in the design, development and deployment of equipment. The following four steps can help executives complete this task.
First, manufacturers need to understand how customers use their equipment. Keep up to date by refreshing the knowledge of customer use cases every 12-18 months, which will enable manufacturers to keep abreast of changing safety requirements and help identify unmet needs. Determining the average cybersecurity maturity level of its customers will help manufacturers invest in appropriate ready-to-use and add-on solutions. For example, customers of self-developed solutions tend to seek economic benefits rather than the latest and best solutions.
Secondly, manufacturers should provide network security features on the device and, if possible, cooperate with trusted network security vendors to provide other solutions. The engineering team should embed security development practices into the software and hardware components of the device, and provide inherent solutions for the access interface, application, data, and device layers. Regardless of the maturity of network security, most customers will use these ready-to-use features. Taking these measures can reduce common vulnerabilities in IoT devices, such as default or embedded passwords, network credentials and network communications that lack data security, and weak security measures to ensure system integrity. Manufacturers can also cooperate with network security providers to provide after-sales solutions at the data, network, and operation layers, and selectively integrate these solutions into certain customer groups. For example, customers with consistent security tend to choose integrated solutions, while practicing companies seek the best solution rather than an integrated solution.
Third, manufacturers also need to meet quality assurance and be able to prove that their IoT devices have no known vulnerabilities. For customers who sometimes install new equipment but do not find vulnerabilities in it, this will alleviate the main point of danger. Deploying a more structured process to identify and remove vulnerabilities across security layers or participating in third-party vulnerability scanning and penetration testing companies can help manufacturers, and these practices can meet this need. Defining a cyber security warranty period with clear obligations can inform customers, the content and duration of the supplier’s responsibility. Taken together, these measures are the best methods for network security and can be used for devices with high security requirements.
Finally, the manufacturer can continuously test for new vulnerabilities during the warranty period, provide software and firmware updates, and provide ready-to-use and after-sales solution features and function upgrades. Throughout the warranty period, providing updates to firmware, operating systems, and applications in response to newly discovered security vulnerabilities should always be the top priority.
These four steps are the beginning, but they are by no means the entire content of solving the security problems that hinder the development of the Internet of Things. Although the growth of the IoT market seems destined to be unstoppable, many corporate customers will continue to proceed with caution until they can reasonably ensure the security of their data and ensure that companies increasingly rely on devices, sensors, and the Internet of Things. Safety of overall operations.