Don't be late to the party

Internet of Things (IoT) startups are poised to revolutionize various sectors, including health, utilities, homes, and cities. This disruption can be likened to the dot-com boom of the early 2000s. However, there’s a significant difference: while the Internet relies on virtual infrastructure, IoT bridges the gap between the physical and virtual worlds by leaving a tangible footprint.

The need for security in the design of IoT ecosystems cannot be overstated. When personal computers and the internet became ubiquitous, antivirus software and other security measures gradually evolved to protect users. However, the IoT landscape follows a distinct trajectory. Unlike the standardized protocols of the internet, there’s no universal framework for IoT devices. With a plethora of IoT design kits available, developers can tailor solutions to specific use cases. Major vendors also create proprietary devices to capture market share.

An IoT solution typically comprises IoT devices (the “things”), communication links, IoT systems, gateways, and data storage. Vulnerabilities exist at various layers, including physical objects, data, communication interfaces, and the communication links themselves. Unlike the internet, where point products could be added to counter new cyber threats, the IoT ecosystem faces challenges in securing multiple layers. Urgent regulatory frameworks are needed to ensure security by design across all layers.

The critical aspects shaping the role of IoT security include:

1. Enabling New Use Cases: IoT devices empower automation across diverse sectors. Examples include smart water meters, agricultural valves, and intelligent streetlights in smart cities.
2. Industrial Automation: IoT devices are increasingly integrated into existing operational technology (OT) infrastructure, which predates the mainstream internet.
3. Sophisticated Threat Actors: Compromising IoT systems can bring down an entire plant, and disrupt essential operations such as health, and utilities. This impact severity has attracted various state-sponsored threat actors in the IoT landscape. While IT systems threat actors are often driven by the monetary benefits of exposing the confidentiality of the data. Threat actors in IoT are driven by stronger motivation and are often state-sponsored attackers. The defense required to counter these attackers cannot be fragmented, as it will expose the weak link somehow.

Securing an IoT system is complex due to its multifaceted nature and the lack of standardized designs. Startups, driven by agility and the need for funding, often prioritize functionality over security. Ensuring that an IoT device connects to the network and alerts appropriately becomes crucial for customer engagement. However, security measures—such as railings for cloud connectivity, storage, and analytics—are often overlooked during the high-speed pursuit of funding.

IoT design vendors and communication device manufacturers (such as CAT M1 and LoRA modules) face ongoing changes, making security maintenance challenging. Additionally, disruptions like COVID-19 impact supply chains, necessitating frequent design updates to accommodate component shortages.

The discontinued IT systems supporting IoT devices poses a significant challenge for vulnerability patching.

Securing the IoT ecosystem requires concerted efforts across various layers, regulatory frameworks, and a proactive approach to address emerging threats. The convergence of physical and virtual worlds demands robust security practices to safeguard our interconnected future.