Mike Ahmadi, CISSP – Global Director – IoT Security Solutions at DigiCert, shares his opinion on the potential security challenges posed by the use of IoT in a digitally transforming world.
I believe, initially, the biggest challenge facing organisations expanding their offerings in the IoT space is a lack of understanding of the current security challenges and how they will evolve and scale over time.
As an example, imagine a company that makes something like an aquarium thermometer that has been selling a few hundred thousand per year. Once they add web connectivity to the device, they may discover that sales jump to a few million as both existing and new users decide to take advantage of the interesting features and benefits connectivity offers. In this simple connected thermometer scenario, where a particular product has evolved significantly, there are potentially a lot more Information Technology elements involved – for instance, local Bluetooth networks, smartphone apps and cloud-based user portals. Each of these areas can pose a security weakness and the product or service supplier therefore needs to gain a deeper understanding of the risks.
Many organisations choose to implement security measures based on perceived risk without fully realising that the consequences of failure can potentially ruin a successful business and brand. Some base their assumptions on what they know today but what tomorrow brings is often far different, especially in a space like IoT that is still an immature market in terms of established industry best practice when it comes to security.
In a high-growth IoT scenario, where new or updated products are now generating more security requirements and secure data flows, an organisation that had previously relied on something like an in-house PKI trusted authentication system may find that it is unable to cope with new business models.
Moreover, the IoT landscape is still lacking tough regulatory controls, although there is a strong likelihood that soon governments or industry groups will start to mandate guidelines for how IoT devices are secured. Failure to meet these regulations might block entry into certain regional markets or denigrate the product or services in the eyes of potential customers.
For organisations with an IoT footprint, the best advice is to consider a security by design approach. This assumes that tougher future regulations are likely as the device ecosystem grows, which means that an inherent flexibility should be built-in from day one to adapt to future business needs.
It is very important for organisations deploying IoT systems, devices and services to work with organisations that have both the experience and resulting wisdom that comes with large-scale deployments. In some cases like PKI, this means gaining the advantages of moving the security burden out of house and putting it in the hands of those who are best equipped to deploy and manage such solutions.