With many engineers in industry from manufacturing to utilities having spent a lifetime managing operational technology (OT) and working within the comfortable confines of their company infrastructures, the concept of connecting their precious assets to external cloud services fills them with fear. It doesn’t help that hardly a week goes by without a cybersecurity attack on an industrial installation, or that the IT industry has become full of exaggerated promises about how companies can achieve security.
Confusion reigns. Today, security has become one of the main factors holding back wider industrial IoT adoption. Let’s look at the numbers:
We’ve been seeing over-optimistic IoT forecasts for 10 years or more. Back in 2010, Ericsson’s CEO at the time, Hans Vestberg, predicted in a shareholder message that we’d see 50 billion connected IoT devices by 2020, a number endorsed in a Cisco white paper the following year. But by 2015, some analysts were beginning to get more realistic, Gartner bringing the 2020 number down to 20.8 billion, and in January 2020, Eseye, a cellular IoT connectivity provider, reported in its research that the true number of connected devices came in more at 9 billion – some 41 billion short of the most widely touted number in the industry.
I don’t know today’s true number. I do know that many of our industrial customers fear internet connectivity, don’t understand how to achieve it securely at scale. They believe that security costs will eat into their bottom lines, and often conclude that they’re just better off sticking to the way they work today.
This creates a security bottleneck. What can we do to relieve the IoT security bottleneck? Three things need to happen.
First, we need to build trust in IoT security through a combination of legislation and industry standards so organisations can embrace it with confidence. Recently, IoT-specific laws have been implemented that create severe penalties for companies that breach them. The European Union’s Cybersecurity Act was adopted on March 21, 2019. California implemented a bill on January 1, 2020, to protect the privacy of personal information being shared through connected devices. Then, in February 2020, the Korea Internet and Security Agency published guidelines for how IoT ecosystems need to meet the requirements of the country’s Personal Information Protection Act (PIPA).
Concerning industry best practices and standards, the European standards body, ETSI, released its IoT security standard in June 2020. It lists 13 provisions for device security and five for data protection. America’s National Institute of Standards and Technology (NIST) has also been working on IoT cybersecurity, focusing on the privacy needs of federal information systems. And the industry collaborative body, PSA Certified, sets out 10 security goals to guide IoT device design. These are just a few examples of legislative and standards efforts under way.
The second hurdle is education. You cannot achieve strong IoT security through software alone or by trying to stitch it onto an enterprise IT network. The foundation of IoT security is hardware security in each device. Today’s common practice of injecting device identities and cryptographic keys (random numbers) into the silicon chips that power sensors and the like has become both expensive and fraught with security loopholes. In many instances, companies cede control of their security to third parties, and remain unaware of how vulnerable the injected identities and keys are to cyberattacks when they are stored in on-chip memories. The industry needs to have the chips that power IoT devices generate their own unique, immutable, and unforgeable identifies within their silicon fabric. Several technologies have been developed in recent years to make this happen. Some are already on the market and adoption has gathered pace, but many device makers are still unaware of these technologies.
Third, we need to automate the process of managing IoT security. This has three elements. Provisioning – configuring devices to meet their intended purpose, onboarding – connecting them to services and applications on servers, and ongoing lifetime management, which can include firmware updates and revocation of devices if they are compromised or no longer needed.
IoT security, particularly cryptography, is complicated, but system users don't have the time to learn about the intricacies. We must make how people interact with IoT security simpler and more accessible. In recent years, there has been great progress in this area too, and there are several providers of software that automates some aspects of IoT security management, and even a few that can deliver on end-to-end security, from device-to-cloud.
Building trust, contributing to impartial IoT security education, and simplifying security processes through automation, will together democratize IoT security. Without these measures, the promised benefits of the digital transformation of industry will remain beyond the grasp of many – and fear and uncertainty will remain.
Shahram Mossayebi, co-founder and CEO, Crypto Quantique
