Ensuring end-to-end security of data flow in the IoT remains an essential, and still unsolved, challenge that is hindering development.
The internet is a two-edged sword. Providing devices with worldwide connectivity to online resources offers tremendous opportunity for edge devices to offer functionality well beyond the means of local equipment. At the same time, however, such connectivity provides a doorway for the entry of untold malice from distant actors. Ensuring end-to-end security of data flow in the Internet of Things (IoT) remains an essential, and still unsolved, challenge that is hindering development.
The persistence of security as an IoT industry concern was recently highlighted in a survey of 170 industry leaders that Omdia and IoT World Today conducted earlier this year. Asked if security concerns were a major barrier to IoT adoption, some 85% of respondents agreed. In addition, some 64% of IoT providers said that incorporating end-to-end security was a short-term priority in their developments while some 45% of enterprises were interested in incorporating security in their IoT plans short term.
What strikes me about these results, though, is a seeming mismatch in emphasis. If security concerns are a major barrier to adoption, one would think that resolving these concerns quickly would be equally important. It is still a top concern for both provider and user, but for many it is more of a medium- to long-term priority. Further, perhaps surprisingly, for some 10% of providers it is not a priority at all (Figure 1).
Figure 1 Most, but not all, IoT providers surveyed show security is a high priority technology. Source: Omdia
Users are a bit more ambivalent. Nearly half see security only as a medium-term need and a number still don’t have any intention to incorporate security into their plans. An equal number are still not sure about the need for security (Figure 2).
Many factors may be contributing to this apparent mismatch. For developers, incorporating security into an IoT design is an expense that does not seem to have a payback. Customers won’t want to pay for something they don’t think they need, the thinking goes. The less-than-ardent demand for security from customers tends to support this interpretation.
Figure 2 Enterprises are not entirely in a rush to incorporate security into their IoT plans, with some not interested at all. Source: Omdia
For users, a lack of industry standards may contribute to the lowered priority for IoT security. Enterprises may be waiting for the industry to come to a consensus about security levels and approaches before they are willing to invest in implementations. They may also be waiting for 5G to become widely available, trusting to the security provisions built into that technology to resolve the issue.
Security is an issue that is both complex and subtle, requiring both considerable expertise and the adoption of multiple mitigation techniques to successfully resolve. Many enterprise respondents, for instance, indicated that they are using, on average, three to four different approaches to ensure security in their systems. These approaches include end-to-end encryption (number one), the regular updating of firmware and software, and checking the risks inherent in physical access to their IoT devices.
Cost, complexity, and risk will temper enthusiasm for any technology, of course, and IoT security is no exception. It is all too easy to take a wait-and-see approach, or even convince oneself that a threat is not all that dire. Regardless of the reasons for not pursuing security as vigorously as they might, however, at least the need has become increasingly clear to the industry. Security concerns are a significant stumbling block to market growth for the IoT and merit commensurate attention.
Rich Quinnell is a retired engineer and writer, and former Editor-in-Chief at EDN.