• United States



by David Braue

APAC’s transformation enthusiasm causing “scary things” to happen with IoT security

May 24, 20175 mins
Access ControlApplication SecurityBusiness Continuity

Exuberance over Internet of Things (IoT) technologies has led many businesses to ignore security in rollouts that are overly complex and poorly planned, an IoT specialist has warned as newly released figures hint at the true scope of the burgeoning IoT security threat.

Despite enthusiasm over IoT and its potential for improving everyday operations, many organisations were approaching the technology as a discrete addition rather than integrating it into their existing infrastructure. This had led many to ignore their existing infrastructure, complicating rather than streamlining operations, RIoT Solutions director for smart and connected networks Scott Reid told CSO Australia.

“We’ve seen many organisations saying ‘digital will be amazing’,” Reid said. “They engage large consulting organisations to build them a business case – then go into a pilot project that is very isolated and silo driven.”

Such projects – deployment of digital parking meters, for example, or smart lighting – generally work fine in isolation but fail to be well integrated with existing infrastructure. Reid attributes this shortcoming to a lack of communication internally, as well as an often clear lack of real business objectives amongst IoT adopters.

“Often for the first time ever, people need to rearchitect things to take advantage of digitisation,” he explained, “but most organisations are ignoring the infrastructure they already have. They have these amazing assets out there and they don’t actually know how to get their operational technology guy to talk to their IT guy.”

This had resulted in procedural oversights even amongst companies that are adopting good security practices such as physical, session and transmission security – three key IoT endpoint protection strategies highlighted in a recent IDC analysis.

These areas were being addressed with varying effectiveness but many companies were also falling down when it comes to regular penetration testing – which, Reid warned, is being “commoditised” to the point where much testing is being done using toolkits that are designed to test compliance without applying human ‘white hat’ knowhow to the problem.

Many times, penetration testing was run as part of a momentary engagement that would see teams compromise a network, deliver a report, then walk away leaving the target company to try to fix the issues. But with budgets chronically low and security expertise often brought in after the fact – if at all – IoT’s explosion represents yet another challenge to the integrity of digital transformation efforts.

“Everyone is talking about these massive efficiency gains without understanding what they actually have, what it is connected to, and how secure it is,” warned Reid, who for years has worked with businesses and local councils as they plan their adoption of IoT. “We’re quite often seeing security as an afterthought – and as a result we’re seeing some really scary things, time and time again.”

The frequency of such “scary things” is set to be magnified as the IoT industry continues pressing the accelerator on efforts to make the technology ubiquitous. Chipmaker Qualcomm, for one, this week announced that it is shipping more than 1 million microprocessors every day for IoT devices including some 150 different wearable devices and a who’s-who of home-entertainment and other home electronics devices. The chipmaker offers more than 25 “production-ready reference design platforms”, the company said in a statement highlighting its push into the IoT market.

Each of those platforms – and each of the chips that Qualcomm and myriad other chipmakers push into the market – has its own security requirements and will be implemented in slightly different ways from platform to platform. The result is a morass of security practices that will leave many organisations’ IoT environments hopelessly exposed even when some best practices are put in place.

Concerns over security remain a significant barrier to effective digital transformation, with a recent 451 Research-CenturyLink survey, APAC Business in Pursuit of Digital Transformation, suggesting that while Asia-Pacific companies are leading the world in digital transformation – with 57 percent of regional businesses now having a formal transformation strategy in place – fully 35 percent of those enterprises have identified a potential failure to secure sensitive data as a barrier to successful transformation.

This, despite the finding that 69 percent of businesses are increasing spending levels to realise the expected benefits of digital transformation. For this reason, said research director for APAC Services Agatha Poon, many companies were looking outside the company.

“A critical aspect of these transformation roadmaps is entrusting some of the transformational fundamentals to third-party service providers,” she said in a statement, “enabling business leaders to refocus internal resources on developing new services and applications to support innovative business initiatives.”

Increasingly sophisticated managed security services offerings are being positioned to play a role in solving the particular problems of IoT, which has attracted a flurry of industry investment as innovators seek to build flexible security architectures capable of keeping up with growth while maintaining security over devices that are often built insecurely. Platforms like PTC’s ThingWorx IIoT platform, for example, have focused on improving management of industrial IoT deployments while LogMeIn’s Xively IoT platform has targeted security as a key IoT management capability.