As it has for the last four years or so, the market for Internet of things hardware, software and services continues to be one of the major greenfields for investment in the information technology world. Along with edge computing, “AI everywhere” and robotics process automation, the IoT also comprises one of the broadest areas of innovation potential in IT. Seventy-five million IoT devices are expected to be online and in use by 2025.
2019 certainly will be another year of IoT growth, even though there are some signs that IoT equipment and software purchasing is slowing a bit in the Fortune 2000 due to lack of skills in the workforce. Even though 25 percent of global Fortune 2000 enterprises rank internet of things deployments as the most important initiative in their organization, 90 percent of those same companies are experiencing barriers to effective implementation due to lack of IoT expertise and skills in-house. Who knows how long this will take to rectify?
In the eWEEK Data Points article, the following predictions represent the industry viewpoint of Armis, a respected new-gen IoT security company. Armis discovers and identifies every device that exists in an environment after which Armis will profile the inventoried devices to make sure that devices are behaving as expected.
Data Point Prediction No. 1: IoT attacks will evolve in sophistication.
Since the Mirai botnet in 2016, we’ve witnessed a rapid evolution of IoT attacks. Within the past year alone, IoT devices have been harnessed maliciously for cryptomining, ransomware and mobile malware attacks. In 2019, IoT threats will become increasingly sophisticated, shifting from botnets and stray ransomware infections to APTs for surveillance, data exfiltration and direct manipulation of physical world to disrupt operations.
Data Point Prediction No. 2: Smart City initiatives will realize they forgot about security.
Cities around the world are planning new “smart” initiatives to connect buildings, infrastructure, local agencies and devices. London, Singapore, New York, Seoul, Boston and San Francisco are few of the cities leading this charge. Smart cities include IoT applications for power and energy utilities, transportation services designed to reduce congestion and improve commutes, water and waste management solutions, as well as information-sharing of their citizens. Unfortunately, these initiatives will fail to build security into their foundations.
At Black Hat 2018, IBM announced 17 zero-day vulnerabilities in smart-city systems that could debilitate core services. While smart-city programs are focused on the right outcomes, they deploy unmanaged devices that lack security, are hard to patch and have created the new attack landscape. Further, adequate budgets for cybersecurity are not always identified. In 2019, we’ll see increased instances of these systems being exploited.
Data Point Prediction No. 3: Unmanaged and IoT device security will become a board-level priority.
Today, about 30 percent of company IT managers work with the C-suite to discuss IoT security at the board level. IoT is not simply a driver of revenue growth. More and more boards recognize the risk, compliance issues and exposure these new unmanaged devices bring–which is why securing them is now a board-level initiative. Expect at least 60 percent of enterprise boards to be prioritizing IoT security going forward.
Data Point Prediction No. 4: CIOs will become the enterprise IoT security steward.
Gartner found that 32 percent of IT leaders list security as a top barrier to IoT adoption. CIOs are beginning to recognize the failure of device manufacturers to adequately address IoT security during device design and manufacturing and have realized the need to monitor and secure these devices in the wild. IoT security will be a line item on IT budgets in 2019 as a result of the growing awareness of the security issues, and we will see CIOs formalize and shepherd IoT security initiatives in the enterprise through their spending power.
Data Point Prediction No. 5: Point solutions reach critical failure point for IoT security.
Enterprises today are cobbling together multiple cybersecurity solutions and pointing them to the dark space of IoT, hoping for visibility and protection. Betting on security with this point solution model is dull for several reasons. First, it’s impossible to install agents on all connected devices in an enterprise environment, especially when IT is unaware of nearly half of those devices. There are massive technical hurdles to integrating multiple tools, each with siloed data and their own deployment and operational complexities. Add the industry shortage of the security skills necessary to get value out of each of these tools and the sisyphean task of wrangling point solution vendors into cooperation, and managers have additional problems to solve.
The industry went down this path when securing and managing conventional IT. In 2019, we’re optimistic that companies will realize that this piecemeal security approach won’t work for IoT. Instead of jerry-rigging legacy point solutions to mitigate IoT risk, security decision makers will invest in dedicated IoT security platforms that help bring connected devices into the fold of enterprise security and operations.
Data Point Prediction No. 6: OT / IT convergence will accelerate.
OT security will come into sharper focus as IT infrastructures and OT environments converge. Smart, connected devices will become standard in manufacturing plants, utilities and other areas with critical infrastructure where digital meets physical operations. This will increase the potential for remote attacks that disrupt or sabotage robots, sensors and other equipment that drive much of machinery and infrastructure behind our everyday lives.
Data Point Prediction No. 7: Security frameworks and controls will extend to IoT and unmanaged devices.
As a result of the explosion of the unprotected, unmanaged devices in the enterprise and new warnings from the FBI and Homeland Security around IoT security risks, industry bodies such as NIST, CIS and MITRE have begun to roll out standards for IoT. Even the U.S Congress, traditionally slow-moving in regards to technology policy, passed the SMART IoT Act last month. In the next 12 months, enterprises will address unmanaged devices in their security programs. To do this, businesses will first need to inventory their entire connected environment, assess risks and vulnerabilities, monitor for threats and support security teams who are extending threat hunting and incident response capabilities to unmanaged devices.
Data Point Prediction No. 8: Network infrastructure will become a new target.
From routers and switches to access points, the foundational elements of our networks are not protected in a new IoT age–they’re simply a new class of unmanaged devices. As Armis showed with BLEEDINGBIT, two critical chip-level vulnerabilities impacting Cisco, Aruba, and Meraki access points, unauthorized hackers can now attack networks undetected, enabling them to introduce malware, move laterally, or destroy network segmentation. These devices are the cornerstone of enterprise communications, and in 2019, we’ll see more attacks targeting these as a vector specifically.
Data Point Prediction No. 9: IoT adoption will spike in healthcare and manufacturing.
Seventy-five million IoT devices are expected to be online and in use by 2025. Enterprise adoption of IoT grew in 2018 with increased revenue and operational efficiencies for early adopters. Within the next 12 months, health care and manufacturing specifically will increase investments in connected devices. IoT will provide operational efficiencies for these environments in particular; however, increasing numbers of IoT devices expands the attack surface exponentially and creates increased potential for disruption to physical operations within manufacturing plants, and disruption of patient care.
Data Point Prediction No. 10: The channel will begin offering-IoT-related services.
Recent reports show IoT-managed security services will increase five-fold by 2021. Services will start in more traditional manufacturing, transportation, oil/gas industries, then move to other IoT use cases and markets, such as health care, finance and the digital office.
eWEEK will continue publishing “Prediction 2019” articles into January.
