IoT has crept into enterprise systems in a variety of forms and for a wide range of purposes. The ability to add intelligence to devices and processes is proving advantageous in terms of lower labor costs, less equipment failure, and better visibility into real-time processes. But each IoT device represents an additional node in the enterprise network that may be subject to intrusion and eventual penetration of company systems. The lack of a single viable standard for securing IoT devices leaves them vulnerable, and securing them is now part of the CIO, or CISO, responsibility. Unfortunately, a lack of adequately targeted funding means that work isn’t getting done fast enough.
It’s estimated that 20 percent of enterprises have experienced at least one attack that originated through their IoT-based devices over the last three years. And based on those alarming statistics, Gartner expects enterprises to spend $1.5 billion in 2018 in attempts to secure themselves against intrusions that find their way inside via IoT systems. That spending represents an increase of 28 percent over 2017’s spending. That same survey expects that spending to reach $3.1 billion in just three more years when 2021 rolls around. Where are those funds coming from when there are so many projects and systems demanding increased allocation of budgets?
Spiceworks reports that overall IT spending is increasing, with companies forecasting spending increases expecting a 19 percent jump. Nearly one-third of that money is projected to go to hardware. But while that hardware expenditures may include computing devices like servers, storage, and personal devices, IoT components (while numerous), simply are not as expensive as other common hardware devices, which means large numbers of new devices can be added without significantly impacting hardware expenditures. It’s the potential problems they bring with them that IT needs to be aware of in order to allocate some of that increased budget.
IoT devices represent endpoints in the enterprise network landscape and present new paths to be exploited by cyber thieves. That explains, at least in part, the increase in spending on endpoint security projected to grow from $240 million in 2016 to $459 million in 2019. But putting that security in place is not as simple as updating drivers and operating systems patches. It requires security professionals who can specialize in closing down the vulnerabilities that IoT systems carry. The expenditures for IoT security professional services are expected to grow from $570 million in 2016 to $1.22 billion in 2019. But my guess is that it will be difficult for organizations to spend that much simply because there aren’t enough cybersecurity specialists available.
The root of the problem lies with the manufacturers of IoT devices and their inability to come to terms with a viable standard for IoT security. To be clear this is not because of a lack of effort. The Interagency International Cybersecurity Standardization Working Group (IICS WG) drafted a working standard for IoT security in late 2015 and closed its comment period recently (April 2018). So this shouldn’t be seen as foot-dragging or lack of diligence. However, a quick review of the 30 comments shows two things. First that there were only 30 comments on a topic as important and complex that affects so many players. And second that the content of the commentary is complex.
As with any standards development effort, the process involves multiple players, each with their own stake in its implementation and outcome, and each representing their own views on the subject. That means the final outcome is likely to be robust and viable. But it also means that the nearly three years that have gone into creating this draft are only the beginning of the process. It will take some time for the commentary to be reviewed and appropriately assimilated into the standard. Once that process is complete, actual implementation can be started. That process is likely to be measured in years rather than weeks.
What do to now
Your organization will still be vulnerable to IoT cyber intrusion even after the security standard has been ratified and put in place because of the devices already installed and yet to be installed for some time to come. In the short term, take action and make contact with the vendors supplying your IoT devices to understand what if any steps they have in place to harden their products against intrusion. They should understand your concerns and that the steps they take now will have an impact on your future buying and implementation plans. The long-term solution is to work with the IICS WG and monitor their progress even to the point of becoming part of the effort and contributing time and expertise. Assign some portion of the increasing IT budget to the task of securing IoT because it will become a larger part of your overall enterprise and a significant point of intrusion if not properly secured.