The Internet of Things (IoT) – A Deluge of Devices. By all accounts, there will be 30-50 billion internet-connected devices by 2020. This is a massive cyber-attack surface to protect. The number of devices expands by the thousands every day; creating a daunting challenge for cybersecurity.
What is the IoT? The IoT is a network of dynamic, interlinked components that sense context, transfer data, process information, and initiate action (MIT, 2018); this forms a control loop. The IoT includes devices, vehicles, and infrastructure. The power of the IoT is that the physical and digital worlds seamlessly interact. This is the foundation for the digital transformation underway in almost every industry.
Since the IoT can initiate action, it presents a different set of cybersecurity priorities compared to the typical Enterprise IT environment. It’s critical to understand these differences since so much of the attack surface is being driven by the IoT.
Upside – IoT Unleashed. In a “smart, hyper-connected” IoT environment, every device and system will:
1) Connect to one another, and share data.
2) Be smart enough to make decisions.
3) Act on decisions independently, without human intervention.
This provides synchronization and coordination in real-time, at scale. The impact is higher productivity, proactive and preventive action, improved customer engagement, better customer experience, and new, powerful business models. It has the potential to unlock $11 trillion of economic value by 2025, per McKinsey Global Institute. This is the upside.
Risk – Shackles on Digital Freedom. While pursuing the promise from connectivity and smart devices, significant risks have to be addressed. In a cyber-attack, connected devices can be controlled by a threat actor and directed to take harmful actions. For illustration, here are some possible IoT cyber-attack scenarios. Watch the 2016 movie Zero Days for more color.
To take on the risk challenge, how should we look at IoT cybersecurity? It’s valuable to understand how IT and IoT priorities are different. Decision makers need to understand this difference as they consider extending IT cybersecurity to protect the IoT environment.
IT Priorities – Confidentiality, Integrity, and Availability (C-I-A) – C-I-A is a well-known acronym for the IT cybersecurity “triad”. For IT environments, the rank order of priorities is typically C, then I, then A. The focus of the IT environment is data.
The IT environment is typically mobile devices, computers, and servers interacting with one another in dynamic, unpredictable ways. The operating systems and communication protocols are relatively standard and ubiquitous. Software updates are frequent, helping to maintain some level of security. The IoT is different.
IoT Priorities – Different from IT. Connected devices, in a control loop, require different priorities: Control, then Availability, Integrity, and Confidentiality. The focus is on process control. The IoT in this environment is often called Operational Technology (OT).
Implications. Along with different priorities, the IoT presents unique challenges, including multiple protocols, infrequent software updates, and limited device security. For decision makers, it’s important to recognize that the IoT requires a thoughtful, outcome-driven approach to cybersecurity, not simply an extension of the IT approach and toolset.
Our team at ADI is working on solutions to overcome the IoT cybersecurity challenge. We seek to unshackle Digital Freedom.
What Market Voices Are Saying. Per Lux Research, the IoT Security Market has emerged. Patent activity in IoT Security has been increasing by 24% per year since 2012 (including devices, applications, countermeasures, and approaches) and the pace is accelerating.
Shout Out to a Digital Freedom Fighter. To our brilliant Cybersecurity Engineers working on the Universal Security Platform to make it is easy for ADI Customers to implement security in their Industrial Control System (ICS) designs, supporting IoT cybersecurity.