Gartner: IIoT Ready to Explode, But Security Keeps Us Up At Night

The Industrial Internet of Things (IIoT) is set to explode in the next few years, but as more organizations connect devices to their businesses, the lack of strong security tools could have major implications on future growth and deployment.

We have already seen a few major IoT security breaches in the past few years. Researchers were able to hack a Jeep, taking full control of the car’s steering functions. Chinese researchers revealed a similar exploit in the Tesla Model S. A botnet consisting largely of compromised connected devices was utilized by hackers to almost take down the Internet.

In a webinar exploring the various security issues, Gartner associate principal analyst, Mark Judd, said the landscape for security is still under development and there aren’t a lot of mature solutions.

“IoT devices are generally not designed with security in mind. They’re purpose-built for a very slim focus. A lot of manufacturers are starting to think about that now, especially cloud platforms such as AWS and Microsoft Azure, but it’s still an afterthought right now,” said Judd.

See also: Rethinking DDoS security in the era of edge and 5G

Alongside a lack of mature solutions, organizations are also going headfirst into deployment of IoT devices without consulting IT specialists. “A lot of the security surprise comes from organizations that see these great products, buy them, put them online to test and don’t speak to the IT environment because they’re only testing them out,” said Judd.
According to Gartner’s CEB IoT Security survey, 73% of IT professionals collaborate less than once a month with the device procurement team. This lack of communication leads to devices being purchased without any security overview, which can lead to the devices not functioning as desired and getting hacked.

IIoT devices not ready for security measures?

Even if security professionals manage to oversee IoT devices, almost none of them house any security agents, because of the size of the devices. “There’s not a lot of room to encompass these devices with other technologies that are going to be able to protect them from themselves. Enterprise administrators must instead protect these devices at arms-length,” said Judd.

Finding a security solution that is both mature and built for IoT is difficult, as many of the security principles that the Internet has run on for decades don’t work for IoT devices. “Agent-based solutions are impractical in the IoT world,” said Judd. This is because endpoint security must be moved away from the device.

Judd offered three solutions for IT professionals looking to add security for IoT devices. Device identification is the simplest to achieve, said Judd, and it allows the organization to gain a better understanding of the devices on a network. It also reduces the chance of IoT devices being used by hackers for Bitcoin mining or DDoS attacks. 85 percent of IT security professionals listed lack of visibility in IoT as a problem.

Network segmentation is another solution Judd offered. This involves separating devices from the network, thus reducing the chance of an attack. Micro-segmentation, a model based on logically defined policy, was suggested as a process for IoT security.

The third solution is network traffic monitoring, a solution that is difficult for regular IT deployments, but simpler for IoT, due to the lack of back and forth between devices and the web server. Most IoT devices only send out a few signals to one or two web servers, which makes it easy for traffic monitoring systems to recognize any spikes or changes.
Judd also said that IT teams need to be aware of any patch changes, as patch management software is non-existent in the IoT environment. He recommended regular patch management meetings.