The $11bn opportunity in IoT cyber security
And CENSIS is supporting businesses, academics and the public sector to unlock it. In the process, we’ll help protect critical national infrastructure, as well as supporting economic growth, writes Dr Cade Wells, Business Development Manager, CENSIS
Cybersecurity is the key to unlocking demand in the Internet of Things (IoT), according to recent research from consultants Bain & Co. If manufacturers could improve security on IoT devices, businesses would not only buy more IoT devices, they’d pay 22% more for them.
As a result of these premiums and higher sales, the IoT cybersecurity market, worth around $9 bn, could grow to $11 bn.
That’s quite a carrot. And if device manufacturers are in any doubt about the importance of IoT cybersecurity, they’re also going to have some sticks to grapple with.
For example, California has grabbed tech headlines recently, passing an IoT cybersecurity law that from 2020 will require manufacturers to design-in ‘reasonable’ security features to protect personal information relating to the user . And here in the UK, the Department of Culture, Media and Sport (DCMS) launched its Secure by Design report earlier this year, and has a draft Code of Practice for manufacturers of consumer IoT devices.
Key issues around IoT cyber security
The California and UK initiatives are welcome, not least because they raise the profile of IoT cybersecurity, but they highlight key problems around this area.
- The California law illustrates how IoT cybersecurity activity is often siloed in geographic regions or specific applications or technologies. Yet IoT devices, their subsystems and electronic components are traded globally and used globally.
- Like the DCMS draft Code of Practice, much discussion focuses on consumer IoT products. But there’s much more at stake here than attacks on smart TVs. We’re talking about protecting healthcare systems, manufacturing supply chains, and critical national infrastructure such as transport, energy and communications networks.
- Technology tends to develop more quickly than legislation or standards, so it could be argued that there’s a risk of standards being outdated or legislation stifling innovation.
- According to a recent Gartner report, the terms ‘cyber security’ and ‘IoT cyber security’ are poorly understood and often misused. If organisations can’t define them, says the report, they can’t develop effective risk management policy and controls around them.
- It’s challenging for procurement teams to make effective assessments on how secure a potential service or product is. Some products have complex supply chains and there’s a risk of cloned, insecure components or subsystems entering the manufacturing process. As a minimum, we want IoT devices to be ‘secure by design’, but we also need assessments to be made during the whole manufacturing process and potentially during the product lifecycle.
- Last but not least, there’s a general lack of skills and knowledge in this area, especially in terms of finding people with combined expertise in both, embedded electronic systems and cyber security.
Cyber security now a core focus for CENSIS
This is where CENSIS – never shy of taking on the big IoT issues – can help. Given our focus on IoT solutions, from helping to roll out IoT connectivity across Scotland to supporting SMEs to develop IoT products and services, IoT cyber security is now a core area of activity for us.
Recent activity has included meeting with the first IoT Security Foundation Working Group for Smart Buildings and contributing to the Cyber Resilience Economic Opportunity Action Plan by working with the Scottish Government, enterprise agencies and other innovation centres to ensure adequate cyber security is embedded in any publically funded innovation projects.
We’ve also got IoT cybersecurity projects on the go and in development, which will create revenue and growth opportunities for businesses and could help put Scotland at the forefront of IoT cybersecurity.
The Keysight-Edinburgh Napier project
A key CENSIS-supported project already up and running is an IoT cybersecurity project involving Edinburgh Napier University and Keysight Technologies. The project partners are using data analytics to identify ‘side channel’ vulnerabilities in IoT devices –electromagnetic, power and acoustic signals that hackers can use to crack encryption codes.
With the data they gather, they aim to develop a test framework that manufacturers and designers can use to implement security by design – rigorously testing their devices at every point from concept through to production prototypes. There’s also the possibility to develop a formal industry framework for testing the security IoT devices.
To quote Doug Carson of Keysight, who’s been working on the project with CENSIS and Edinburgh Napier University, “Every device connected to our critical infrastructure is a potential way in for hackers, so it’s essential we help every supplier to test their devices against rigorous standards before they are ever put into the field.”
As governments and businesses are both aware, we’ve a way to go on improving IoT cyber resilience. But CENSIS support for projects such as the Keysight-Edinburgh Napier project could contribute not just technical knowledge on security by design but cultural change too. The combination could be truly transformational in unlocking the potential of IoT, and CENSIS is delighted to be involved.