It doesn’t matter that it seems to only have just arrived, Internet of Things (IoT) attacks are already a reality.
A recent CEB – now Gartner – survey found that almost one fifth of organisations experienced at least one IoT-based attack in the past three years. Because of this, Gartner has issued a very bright forecast for the IoT security market with worldwide spending to reach US$1.5 billion in 2018, a 28 percent increase from 2017’s figure of $1.2 billion.
"In IoT initiatives, organisations often don't have control over the source and nature of the software and hardware being utilised by smart connected devices," says Gartner research director Ruggero Contu.
"We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organisations will look to increase their understanding of the implications of externalising network connectivity.”
Combined, Gartner says these factors will be the main drivers of spending growth with the market expected to reach a whopping US$3.1 billion in 2021.
Huntsman Security head of product management Piers Wilson says this prediction shouldn’t surprise anyone as serious IoT vulnerabilities are being discovered all the time.
“It’s a result of products being rushed to market without proper consideration of security concerns. The explosive proliferation of devices means the attack surface is expanding rapidly, giving hackers more opportunities to attack and leaving defenders scrambling to deal with threats coming from all angles,” says Wilson.
“Companies are now stuck in a situation where, because it’s impossible to retrofit proper security measures onto a device that’s already out there, they’re relying on their security analysts to mitigate the threat.”
Wilson says in the face of these attacks IoT users are often struggling to keep up and find their security teams overwhelmed, eventually leading to mistakes and burnout.
Despite the steady year-over-year growth, Gartner predicts the biggest barrier to growth for IoT security will come from a lack of prioritisation and implementation of best practices and tools – which will hamper the potential spend on IoT security by a staggering 80 percent.
"Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed," explains Contu.
"However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing."
Gartner found that while basic security patterns have been found in many vertical projects, they are still to be codified into policy or design templates to allow for consistent reuse. Because of this, technical standards for specific IoT security components are only now just starting be addressed.
This lack of ‘security by design’ is a result of the lack of specific and stringent regulations, but Gartner expects this trend to change, particularly in heavily regulated industries like healthcare and automotive.
By 2021, Gartner expects regulatory compliance to become the prime influencer for IoT security uptake.
"Interest is growing in improving automation in operational processes through the deployment of intelligent connected devices, such as sensors, robots and remote connectivity, often through cloud-based services," says Contu.
"This innovation, often described as Industrial Internet of Things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology (OT), such as energy, oil and gas, transportation, and manufacturing."
“The solution is relieving the pressure by automating the job of monitoring. An automated system can quickly establish a normal baseline of behaviour for any device so that when bad guys do try to exploit a vulnerability, it becomes immediately obvious,” says Wilson.
“The system can assess the threat and prioritise the most dangerous, allowing security analysts to handle the biggest problems rather than constantly running from pillar to post.”