Machina Research, the world’s leading provider of strategic market intelligence on the Internet of Things, has published a Strategy Report on the security context of the IoT.
While there are many security issues that remain unresolved, the report concludes that for most enterprises planning to invest in the IoT, the best course of action is to get started and not wait for a security panacea.
The conventional wisdom has it that IoT security – or the lack thereof – is a disaster waiting to happen. Machina Research, however, argues that this is largely a myth. The grand vision of the IoT as “everything connecting to everything” is so distant that it makes little sense to future-proof all of today’s deployments for it. At least for the next 10 years, what we refer to as the IoT will be driven by the Subnets of Things used in relatively controlled settings. Most of today’s security requirements can be met incrementally, with proper planning and already available solutions.
Much of the current technological innovation on the security layer is currently coming from startup-level vendors that have specialised in the IoT – such as Device Authority, Guardtime, and Mocana. Meanwhile, also some of the established cybersecurity leaders – for example Symantec, Thales, and Webroot – have started addressing IoT-specific requirements with a growing intensity.
In principle, the security layer should be enabled in the IoT deployments by design, rather than retroactively when all else is said and done. Yet in reality, the viability of this maxim tends to depend highly on what is actually being deployed.
The report author, principal analyst Aapo Markkanen explains: “Individual products can, and should, be secured by design, and developers who fail to do so are asking for trouble. That said, when the project is not about a single product but a complex system, comprising multiple products supplied by different vendors at different times, the scope for doing pretty much anything ‘by design’ is limited. That is often the case especially in the Industrial IoT, where brownfield deployments are the norm. In these environments, security is more of a systems-integration issue than a design issue.”
Consequently, systems integrators are set to become a critical stakeholder when it comes to securing the industrial IoT, and the ones that want to play a role in this market have to develop various new competences and technologies. Overall, the strategic attention to these is lacking amongst the big SIs, but there are also examples of the contrary. Atos, CGI, and Tieto are names that appear to to be ahead of the curve.
Another area that can further improve the outlook is risk management. According to Markkanen, “Security is never a binary choice of either having it or not having it. For an IoT-driven enterprise, getting the security right is more about judging how much cyber risk it can stomach, and investing accordingly. A serious problem is that this risk cannot be sufficiently quantified, because enterprises do not have reliable information on the materialised cyber incidents. Having a trusted third party, be it a regulator or even the insurance market, to broker such information would be most welcome.”