State-of-the Union – IoT (in)Security
26.04.2023 Terry Gaul
The World Economic Forum recently released a new report on the State of the Connected World 2023, a publication that tracks governance gaps related to the Internet of Things (IoT). More than 270 international experts were interviewed to gain an understanding of the current state of the IoT, particularly in light of the increase of damaging cyberattacks and data breaches. The report evaluated 6 areas of concern: ethics and integrity, cybersecurity, equal access, environmental sustainability, financial and operational feasibility, and interoperability and system architecture.
The report defines a governance gap as “the difference between the potential risks posed by a technology and society’s efforts to safeguard itself against these risks through laws, industry standards and self-governance approaches designed to achieve the greatest potential benefit of that technology for society as a whole.”
The report presents some interesting data, conclusions, and recommendations and deserves thorough reading. For the purpose of this post, I will focus on Wibu-Systems’ greatest area of concern – cybersecurity.
Cybersecurity
The report claimed that the proliferation of connected devices has made organizations, governments, and end users increasingly susceptible to cyberthreats, evidenced by the recorded 1.5 billion IoT-target attacks globally and a 15% increase in data breaches in the first half of 2021.
Seventy-Three percent of those surveyed were either not too confident or not confident at all that users of connected devices and related technologies are protected against cyberattacks. Several reasons for this lack of confidence were given: underdeveloped regulatory frameworks, rapid expansion of markets and companies in IoT and related technologies, technical limitations, lack of knowledge of end users, insufficient incentives for companies to protect users, and lack of standardization.
The implications of these threats and data breaches are severe. The report noted:
- Financial losses reaching $10.5 trillion by 2025
- Physical harm – increasing attacks on critical infrastructures, including utilities, schools, and hospitals
- Reputational damage – according to a Forbes Insights report (Fallout: The Reputational Impact of IT Risk), 46% of organizations suffered reputational damage from a data breach and 19% suffered both reputational and brand damage due to third-party security breaches.
- Productivity loss – cyberattacks create disruption or complete shutdown of processes, resulting in financial and productivity losses.
One of the key security issues identified in the report was that security considerations are typically addressed in the latter part of the design and prototyping phase, leading to vulnerabilities, and allowing malicious actors to breach connected systems and devices. Furthermore, the notion that security measures can be “add-ons” has strongly contributed to the reactive nature of cybersecurity vs. a proactive, security-by-design development approach.
Action Items
The authors concluded that the persistent governance gaps in standardized security and safety measures, as well as the fragmented policies and regulation surrounding cybersecurity, must be urgently addressed in the following areas:
- User awareness and education – users must be provided with the necessary education and training to ward off bad practices and avoid mistakes that may cause serious loses and adopt best practices, such as stronger password and authentication mechanisms, to help protect digital infrastructure.
- A unified approach to IoT and related technologies – governments and industries must create and follow common shared standards in their cybersecurity practices.
- Incorporation of security by design and by default, not by response – organizations and governments should focus on building a robust cybersecurity infrastructure from the design phase of a product to make systems as free of vulnerabilities and resistant to cyberattacks as possible.
- Policy and regulation – robust policies and regulations, including guidelines, standards of behavior, and best practices, must be in place to protect IoT and connected devices. Policymakers should be adaptive and work alongside experts in the field to develop these standards.
Wibu-Systems has been an early adopter and evangelist of a security-by-design approach for connected systems and devices. For additional reading and reference, we have several publications focused on IoT/IIoT security:
White Paper – Licensing and Security for the Internet of Things
Use Case – Securing the Backbone of Connected Industry
eBook – Security 4.0 by Default – Grown 4.0 by Design
Technical Report – Industrial Internet Security Framework
Contributor
Terry Gaul
Vice President Sales USA
Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.