The conventional wisdom has it that IoT security, or the lack thereof, is a disaster waiting to happen. Machina Research, however, argues that this is largely a myth. According to the report, the grand vision of the IoT as everything connecting to everything is so distant that it makes little sense to future-proof all of today’s deployments for it. At least for the next ten years, what we refer to as the IoT will be driven by the Subnets of Things used in relatively controlled settings. Most of today’s security requirements can be met incrementally, with proper planning and already available solutions.
In principle, the security layer should be enabled in IoT deployments by design, rather than retroactively when all else is said and done. Yet in reality, the viability of this maxim tends to depend highly on what is actually being deployed.
“Individual products can, and should, be secured by design, and developers who fail to do so are asking for trouble,” The report author, principal analyst Aapo Markkanen explained. “That said, when the project is not about a single product but a complex system, comprising multiple products supplied by different vendors at different times, the scope for doing pretty much anything ‘by design’ is limited. That is often the case especially in the Industrial IoT, where brownfield deployments are the norm. In these environments, security is more of a systems-integration issue than a design issue.”
Consequently, systems integrators are set to become a critical stakeholder when it comes to securing the industrial IoT, and the ones that want to play a role in this market have to develop various new competences and technologies. Overall, the strategic attention to these is lacking among the big system integrators, but there are also examples of the contrary. Atos, CGI, and Tieto are names that appear to be ahead of the curve.
Another area that can further improve the outlook is risk management. According to Markkanen, “Security is never a binary choice of either having it or not having it. For an IoT-driven enterprise, getting the security right is more about judging how much cyber risk it can stomach, and investing accordingly. A serious problem is that this risk cannot be sufficiently quantified, because enterprises do not have reliable information on the materialised cyber incidents. Having a trusted third party, be it a regulator or even the insurance market, to broker such information would be most welcome.”
