However, as the Internet of Things grows, so do the security risks. There are a number of reasons for this.
First, the sheer size of the market. In its latest Mobility Report (June 2018), Ericsson forecast that the total number of connected IoT devices will grow from 7 billion in 2017 to 20 billion in 2023, representing a 19% CAGR, vastly outstripping the 2% CAGR projected for mobile handsets. So, the larger the scope of assets that need to be protected, the more they are exposed to failures and attacks.
Second, there is the irony of connecting things to the Internet: by definition, the components of industrial facilities previously housed inside company premises, and processes previously operated offline, are being moved to the cloud. As a result, attacks can be launched remotely from cyberspace without private premises needing to be accessed.
Third, it will be very costly and disruptive to rebuild industrial facilities and redesign processes from scratch to integrate IoT. Most likely, IoT will be mashed up with existing automated and non-automated systems, making it hard to implement uniform network-level security measures.
These, and other risk factors, need to be highlighted to raise the industry's awareness of the threats it may face when industrial IoT is more broadly adopted. The threats may come in the form of targeted attacks on the weakest link in the system, and often this would be the components that are moved from offline to online. In the winter of 2016, the Finnish utility company Valtia was hit by a DDoS attack that crashed its heating management system, leaving residents in two buildings suffering sub-zero weather without heating. Another soft target for cyber attacks is human error: The more complex the network, the more likely it is that some aspects will get overlooked -- for example, certain system vulnerabilities or the sub-prime performance of some network components.
More worryingly, IoT networks can be rendered defenseless even against known attack tactics. In 2016, a series of coordinated Mirai malware attacks on the DNS provider Dyn were launched from botnet-hacked IoT devices, resulting in large-scale Internet traffic disruption in Europe and North America. DDoS is a conventional way of attack, and the Mirai code was publicly available before the attack, but the IoT operators were simply unable to patch their devices with defensive software to prevent them from being hijacked.
All these risks and threats combined make IoT networks look doomed to fail security tests, and cases like the Mirai attack have exposed the inadequacy of the current defence mechanisms adopted by the industry. The most popular solutions include blacklisting of DNS, IP addresses and domains, as well as the formation of firewalls. Such measures, though, will not be effective enough to protect industrial IoT networks.
But these industrial IoT networks don't need to be so vulnerable. To better defend themselves, the operators, enterprises and government organizations deploying IoT need to both embrace the most advanced technologies and implement tight processes to guard the security of their networks. As Steve Bell, the lead IoT analyst from research group Heavy Reading, notes: "The complexity of configuring and ensuring the integrity of devices, data and networks, as well as developing, enforcing and monitoring large numbers of devices and assets, requires a holistic perspective rather than using point solutions that may not interoperate. There is a requirement to create an architecture of trust that covers three domains -- things, connectivity and cloud -- and interlink them with two continuums: lifecycle management, and data flow and storage."
An overarching principle is that an end-to-end security management system should be put in place on the IoT networks. More specifically, security management should be implemented both horizontally and vertically.
The horizontal approach involves implementing security across multiple domains on a network, including the connectivity layer -- for mutual authentication, encrypted data transfer, and so on -- and the application layer, for access management, identification and so on.
The vertical approach entails implementing security measures from the hardware up to the applications within individual domains to ensure every component on the network can be trusted.
Admittedly, no technology can guarantee 100% network protection, which is why network operations teams need ongoing innovation from technology developers, who are using cutting-edge tools to boost security systems. Automation of security management will be key, in order to handle the massive number of devices, as well as the large amount of data being processed.
The comprehensive security approach also requires the end-to-end security policy management including the policy definition, enforcement and verification of policy compliance.
One example is the use of artificial intelligence (AI) capabilities. Increasingly, security systems are able to use machine learning algorithms to detect (and even predict) attacks by analysing any abnormal behaviours on the networks, especially incoming connection attempts. This makes a particularly strong case for horizontal security management as it enables correlation of information from the different domains.
Another example is so-called "enclave technology[BJ1] " -- the implementation of an execution environment that keeps code and data isolated and protected, and, when needed, includes security mechanisms anchored on hardware (so called Hardware Root of Trust). This fits extremely well into vertical management scenarios.
Although most IoT connections will continue to be built on short-range networks, wide-area, especially cellular-based, IoT will grow at much faster pace -- Ericsson predicts the number of such deployments will grow at a 30% CAGR from 2017 to 2023. The imminent commercial rollout of 5G, especially in North America and Asia, will be the main catalyst for that accelerated growth. In addition to the end-to-end security principle, some 5G-specific features are making IoT on cellular particularly appealing for the right user groups.
As the development of 5G has focused more on use cases beyond person-to-person communication than previous cellular technologies, the security of those use cases, including massive IoT and mission-critical communication, has been an integral part of 5G specifications. It carries forward the best security features from 4G and improves them with 5G capabilities -- not least because 5G core network architecture is much better suited than the 4G core to support cloud implementations and the vast end-point architecture of the IoT. Major improvements are being made in network slicing, virtualization and service-based architecture (SBA) to bolster security support. Network slicing makes it possible to separate traffic and thereby limiting contamination risks between different use cases.
When it comes to specific security technology properties, 5G will improve resiliency with new radio and core technologies to maintain extremely low failure rate and high availability, even in extreme environments. Communications security will be enhanced with new features, such as user plane integrity protection. This is particularly valuable for small-volume data transmissions -- for example, those between and from IoT devices.
The area most strengthened in 5G compared with previous generations is that of identity management frameworks: In addition to SIM credentials, 5G network operators will also be able to dynamically issue certificates, pre-shared keys and other non-SIM-based authentication measures. These will not only make it harder to launch cyber attacks, but also offer up security measures that make sense for the IoT, where SIM deployment will be prohibitively costly.
There is no doubt that IoT, especially industrial IoT, is already facing, and will continue to face, strong security challenges, and the failure to deal with them could result in serious consequences, be it on livelihood or on production. However, with the most advanced security technologies and processes and by having an end-to-end approach, the industry will not only be much better positioned to counter the threats, but also preempt them and even prevent them from happening at all.