IoT cybersecurity is one of the biggest concerns for companies in the industrial sector when dealing with an IoT project or roll-out. And there is a reason for this concern.
Businesses are already exposed to cybersecurity threats that can cause them irreparable damage. And it is not just an economic issue. Cyberattacks on critical industrial sectors such as water, electricity, or gas can have serious repercussions and impact consumer society. When, also, these companies execute digitalization processes using IoT, there is a substantial increase in the vectors of attack. Talking about IoT security means talking about cybersecurity throughout your entire value chain. To do this, firstly, it is important to understand what the value chain is in IoT.
The IoT value chain is far from something standard agreed across the industry. The immaturity of the IoT market itself means that there is yet to be any agreement on the matter. However, there is some consensus about three aspects of the IoT value chain to be considered.
Edge or Local Plane
This is the level closest to the physical world, the “T” in IoT (Things). This includes sensors and actuators that interact with the physical world and gateways, hubs, and other IoT nodes that communicate locally with the sensors and actuators. (NB: the term “edge” is not always understood equally across all sectors. This is particularly the case in telecommunications, where the “edge” means the edge of the network literally and is not a local element).
This is the “highway” connecting data from the local plane to the remote plane and vice versa. It unites the physical world with the digital world of the internet.
Cloud or Remote Plane
It’s what makes the “I” in IoT meaningful. It collects, processes, and uses the data it receives. It is important to stress that it is very common for some of the processing of and intelligence on the local data to be done on the edge itself – known as edge computing. The IoT cloud is the set of servers, databases, and remote analytics and visualization platforms that make sense of and give value to data. It is also often the primary interface for communicating with the human consumption of these data.
So, security in IoT is security at each of these three levels. All of them are important to ensure the integrity of the data exchanged and the remote and local systems involved.
Both communications networks and cloud elements are traditionally much larger and better protected. And that is precisely why the vast majority of cyberattacks and security threats focus on IoT devices.
IoT Devices: Weakest Link in the Security Chain
The IoT device is by far the most vulnerable element of the entire security chain. The main reason is the lack of firmware updates.
As users in the more mature PCs and mobile telephony industries, we are completely used to receiving notifications of new versions available, security patches, etc. This keeps our smartphones and laptops up-to-date and protected against the latest threats as they appear on the market. In the world of IoT, however, this is far from the norm.
Most IoT devices, once deployed in their physical environment, are rarely updated; this greatly increases the risk of being a victim of a cyberattack.
In particular, there are two realities that explain why IoT devices are not being updated in the same way as our phones and computers: immaturity and complexity.
IIoT Market Immaturity
IoT is going through its “adolescence,” which means that cybersecurity is not considered a priority. If we put all the needs that lead a company to put an IoT project into a kind of Maslow pyramid, there are other concerns at the wide base of the pyramid that come before cybersecurity. This is precisely where the problem lies: worrying about IoT security when you have already developed the project, rather than working on it from the beginning, gets in the way of doing it properly.
The complexity of managing a distributed, remote, and tremendously heterogeneous environment is also a concern.
The very concept of IoT is based on the existence of a multitude of distributed “things.” Ensuring that all of these devices are upgraded in an efficient and scalable way implies having a secure remote management system. Otherwise, the cost of having to update IoT devices at the local level regularly would render any major project non-viable. We can then add the absence of standards (de iure or de facto) in the development of IoT devices, which further complicated management and leaves it up to each vendor to respond (or not) to this requirement.
How to Make IoT Devices Cybersecure
Nothing is eternally cyber secure, and IoT devices are no exception, so the keys to ensuring their integrity are as follows:
- Use base solutions that include security from the design stage. cybersecurity must be conceived from the beginning, not as the additional or optional function that can be added later
- Ensure control over the entire device life cycle. This means you can upgrade all IoT devices efficiently and swiftly and manage how they operate at all times.
- Bring in professional support. It is key to have someone at your side who cares about generating security patches with sufficient consistency to ensure IoT devices are properly protected at all times is key. It is common to use free-to-use software that nobody officially maintains, and this makes it very expensive or directly infeasible to keep IoT devices fully protected.
Following these three principles is the best way to protect both data and computers. Any digitalization project in industrial environments must inevitably consider cybersecurity as a pillar of any implemented solution.