As opportunities in the emerging Internet of things (IoT) market grow, so too do the associated security risks that organizations need to consider.
Sami Luukkonen, global managing director for the Accenture's Electronics and High Technology business, is seeing vendors of all shapes and sizes coming to his organization asking about IoT, and they're all worried about security. "For the past six months, security concerns have really been raised by industry players, due to media attention around cyber-attacks," Luukkonen told eWEEK. "All the attention has really woken vendors up to the risks and consequences of an attack."
There wasn't such attention on security prior to the last six months. Before, the big issue was around the privacy of consumer data, he said. Luukkonen sees the shift in focus to security as a sign of maturity in the IoT business.
For many of the top vendors in electronics, IoT is at the top of their agendas for new initiatives, Luukkonen said. "The opportunity for IoT is tremendous, and everybody is going after it," he said. "At the same time, vendors realize that they are introducing a huge number of open interfaces that could be open to attack."
For the full potential of IoT to be realized, it needs to be secured, according to Luukkonen. While open ports on devices are a risk, simply locking down ports is not the entire solution to the IoT security challenge. In his view, it's important for vendors to remember that any one product is part of a broader ecosystem. For example, modern vehicles have complex in-vehicle entertainment platforms that integrate components and technologies from multiple sources—through which there is a risk of a malicious download to the car's entertainment system. Even when an app is not made by the car vendor, it is incumbent upon the car vendor to protect users against the risk.
"IoT security is not just about trying to protect your own solutions, but also about trying to protect your users from the whole ecosystem that is needed in IoT," he said.
When analyzing the potential security impact and best practices for IoT, Luukkonen said the first step is to evaluate the overall risk level that is introduced by the IoT solution across the whole ecosystem. The next step is filling whatever gaps may be present to make the product as secure as possible. The third step is to have an active monitoring capability that proactively identifies any potential security risk.
Luukkonen said network operators are used to having active monitoring, but it's an idea that is relatively new in the electronics space. There are also staffing considerations that Luukkonen advocates—in particular, vendors need to have a chief security officer (CSO).
"In most large companies, all the executive board members have a direct role to either protect or build shareholder value," Luukkonen said. "Security is an executive management team role that companies should have as there needs to be someone that can evaluate and guide the corporate management of security issues."
Luukkonen added that vendors should also engage in active penetration testing that tries to break into their own products, in an effort to try to find security vulnerabilities so they can be fixed.
Security isn't always at the core of electronics vendors' research and development efforts, though it should be, according to Luukkonen. He noted that when he talks to the R&D directors at major vendors, they typically don't include security as one of the top three items when they describe how they work with IoT. What vendors typically talk about is technology innovation and time to market, he said.
"The challenge is that vendors need to recognize that security has to be at the core of the product," Luukkonen said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.