- Security remains a key inhibitor in IoT, driven by the convergence of IT and OT.
- IoT providers should consider bundling anti-bot offerings into their IoT solution as an additional protection layer.
Security and privacy have been the key topics in IoT. They are also the main inhibitors slowing down IoT adoptions by enterprises. As seen in the figure below, GlobalData IoT research conducted in 2017 with 281 Asian enterprises showed that security and privacy were the second and fourth biggest challenges for them with their IoT deployments.
Figure 1: Challenges in IoT Deployments in Asia Pacific, GlobalData IoT Project Insight 2017, n (Asia-Pacific) = 281
It is not uncommon for security to be the main challenge for new technologies. What makes security more complicated in IoT is the convergence of IT and operational technology (OT). The protection is required not only for the traditional IT systems such as network, server and end-user devices (e.g., laptops, tablets, smartphones), but also for the non-IT devices that were never connected to any IP network before. This could be company vehicles such as delivery trucks, facilities (e.g., meeting rooms, elevators) or operational devices like production machineries in factory. A cyberattack to these operational devices could cause bigger impacts to business – for example, outages in facilities, delays in delivery and declines in production.
Today, there are various security measures across IoT stacks (e.g., firewall, anti-malware, anti-DDoS, encryptions and authentications), which are often bundled with the overall solutions to provide end-to-end protection against cyberattacks. However, with the advancements of machine learning (ML) and artificial intelligence (AI), bots have also evolved to outsmart the standard IT protections. The Mirai botnet, for example, brought down several major websites in 2016. A more recent example is IoTroop or Reaper, which was discovered by a Chinese security firm (Qihoo 360 Netlab) and an Israeli firm (Check Point) in late 2017. Unlike other botnets, IoTroop or Reaper has been able to infiltrate into a network by performing vulnerability scanning to find a safe access in order to minimize malware detection rate. The botnets can also reprogram themselves once they get access to the control service, to rapidly infect other devices in a network and perform different tasks defined by the hacker. The standard IT security measures are no longer enough for IoT. Anti-bot solutions are becoming crucial as an additional protection layer in IoT deployment, especially in providing first-level protection against botnets.
Anti-bot service is not new. Security providers have been adding this capability to their portfolios. Examples include Akamai with its Bot Manager and Symantec with Norton AntiBot. Moreover, Alibaba recently launched its cloud-based anti-bot service, and other providers have the protection as part of their endpoint security service. However, most anti-bot use cases today are around website, mobile app and API protections to prevent online scalping and user enumeration in e-commerce, banking and airline sectors. The development and support for bot protections to work on IoT devices or in IoT networks is still limited.
This is an area where IoT device manufacturers and service providers need to focus. IoT device manufacturers need to ensure the chipsets, operating systems and modules are not only equipped with encryption and authentication capabilities, but also have sufficient compute and storage power to run security application services such as botnet protection. IoT service providers can also play their roles in driving the security requirements in devices through more rigorous testing. This enables them to improve the overall protection to minimize system vulnerabilities inherent from new devices.