Challenges and Opportunities in Securing the IoT

By Sudarshan Krishnamurthi, head of business strategy for Cisco’s education services

IDC estimates the economic value of digital transformation to be $20 trillion, or more than 20 percent of the global gross domestic product. While the business opportunity is tremendous, digital transformation has not yet become the status quo for companies. Of more than 1,600 companies IDC studied, 67 percent are in the early stages of their transformation as “digital explorers” or “digital players,” and fewer than 5 percent of companies are fully transformed.

Digital transformation in general, and IoT in particular, can help organizations become more efficient and more responsive to their customers. It also can allow businesses to expand their operational models from one-time product sales to models that generate recurring revenue.

So, while digital transformation is what accelerates business opportunity, implementing IoT itself has challenges. These include figuring out how to secure connected devices, networks and the data they handle.

Complex Security Questions
IoT devices pose a “double agent” risk: they can bring tremendous value to an organization but can also be enlisted to help stage attacks. The rapid and wide-scale adoption of connected sensors and IoT devices in manufacturing, finance, telco and utility industries means that the global economy’s critical infrastructure is increasingly vulnerable to these attacks.

In October 2016’s Mirai botnet attack, hackers leveraged an army of insecure IoT devices to deploy a Mirai denial-of-service (DoS) attack on an internet infrastructure company. Tens of millions of connected devices, including closed-circuit television cameras, DVRs and routers owned by a range of companies and individuals who were unaware of the attack, were used. And many high-profile online services and websites were attacked and incurred system downtime as a result.

The internet infrastructure company targeted in this case said it commonly sees distributed denial-of-service (DDoS) attacks. But, it added, the use of internet-enabled devices is now opening the door to a whole new scale of the attack.

One challenge to securing these environments is that many IoT endpoint manufacturers simply have not built security into their products. Even controllers that operate in every industrial environment lack basic security protections like authentication and encryption. This means most industrial control system (ICS) attacks do not need to exploit software vulnerabilities. Hackers just need access to the controllers to change configuration, logic, and state.

Also, connected devices frequently have easily exploited vulnerabilities, like default passwords that never get changed, remote access backdoors meant for use by field service technicians (which can also be an “in” for hackers) and weak authentication. Some device manufacturers have taken a stab at security by employing trusted boot capabilities, encrypting network traffic or using Secure Shell (SSH). But if they and the organizations that buy them don’t implement these protections in the right way, such efforts can be ineffective.

IoT Security Best Practices
So, how do we go about securing our infrastructure and data in the new digital age? Securing IoT starts before the pieces are even put in place. It begins during the equipment and software selection process. When feasible, it’s important to select equipment and software with built-in security protections.

Organizations should also take measures to ensure that their systems are secure by regularly changing the default usernames and passwords on their IoT devices. Updating IoT devices with the latest operating systems and patches also helps ensure the security of the network. There’s no one-size-fits-all approach to IoT network security, of course, but data encryption, network authentication and secure private networks all help provide additional protection to vulnerable systems.

Because IoT has implications for both the information technology (IT) and operational technology (OT) parts of an organization, staff members from both the IT and OT teams should work together to decide what IoT security posture is right for their organization. IT and OT engineers should collaborate in setting up security policies and procedures to implement IoT security for their applications, devices, and networks.

IoT Talent Requirements and Gaps
Collaboration between IT and OT team members with existing skillsets will only get us so far, though. That’s because creating, securing and supporting IoT implementations requires new skillsets. Both IT and OT need digital expertise. So, training staff members to address IoT is essential for organizations as they stage their digital transformations.

The converged architecture involved in IP-connected factories, for example, introduces a talent gap not met by current IT or OT professionals. As a result, individuals from each discipline need to learn the technology from the other. Additionally, soft skills in areas such as communication, collaboration, and project management enable teams to work together in a more productive and integrated way.

For IT engineers, learning about industrial networking and application protocols advances their skillsets in the digital era. Gaining knowledge about wireless deployment is also essential for such industrial verticals as mining, transportation, and utilities. Understanding IoT security technologies and being able to implement the most relevant ones for a particular organization gives IT professionals a strategic advantage.

Meanwhile, OT engineers need to adjust from the hierarchical Purdue model for enterprise control to a flattened IP-connected world. This is essential to understanding IP networking protocols and their implications, as well as the importance of sharing data across the ecosystem.

Statistics from recent reports demonstrate the challenges – and opportunities – that exist in the IoT workforce front:

• The Internet of Things is creating jobs at such a rate that the IT industry is projected to grow by 50 percent before 2020. And many of these jobs have new requirements.
• There’s a need to train 220,000 new control engineers every year for manufacturing plant operations alone.
• There were 1 million job openings last year for cybersecurity experts. And the shortfall of cybersecurity experts is expected to reach 1.5 million globally by 2019.
• There are just 500,000 developers working on IoT worldwide. So, there is a need for many more developers as connected devices and applications proliferate in the years ahead. Some estimate the demand will reach 4.5 million within five years.

Prepare Yourself for the Road Ahead
To position yourself to meet this ballooning demand, identify what IoT skills your employer or target market is looking for, and then take steps to strengthen your training and skillset to match the demands of your ideal position. The value of training, skills development and certification cannot be overstated. Understanding the convergence of IT and OT is fundamental to survival in the digital revolution, and training offers employers proof of your job-ready skills.

About the Author
Sudarshan Krishnamurthi is a future-focused technology strategist and industry veteran.
As head of business strategy for Cisco’s education services, he regularly evaluates the future of technology and its influence on skills and talent development, working with an industry ecosystem of like-minded partners.
Throughout his career, Sudarshan has advocated for the strategic advancement of a technologically connected world and is considered a thought leader on the Internet of Things (IoT).
This passion motivated his involvement with the IoT Talent Consortium, an industry-wide partnership to address the need for talent to drive digital transformation.