IoT Security Spending Reaching $1.5 Billion This Year and Growing: Gartner

Providing security for Internet of Things devices is getting expensive and will become costlier, according to a Gartner report released in March. IoT security spending will reach $1.5 billion in 2018, up from $1.2 billion in 2017, a 28 percent increase, the analyst firm said.

"IoT security expected to reach $3.1 billion in 2021," Gartner projects.

One problem with IoT initiatives could be that organizations don't have control over the devices they have, so security becomes an overlooked management issue.

"In IoT initiatives, organizations often don't have control over the source and nature of the software and hardware being utilized by smart connected devices," Ruggero Contu, research director at Gartner, is quoted as saying. "We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organizations will look to increase their understanding of the implications of externalizing network connectivity."

Organizations may have gotten to the point where they need tools to tell them what they have and how devices work, because of the ad hoc way business units may have deployed IoT. Gartner suggested that what is needed is "security by design."

IoT devices may have been acquired and deployed by vertical business units. Operations may have found one type of IoT solution while manufacturing and information technology went in other directions. In terms of overall architecture, who knows what is where? With industry or regulatory standards only starting to emerge, what security technology is even available for the devices an organization already has deployed?

An HP Internet of Things research study from 2015 found that at that time "80 percent of devices along with their cloud and mobile application components failed to require passwords of sufficient complexity and length."

HP also reported that "70 percent of devices used unencrypted network service."

The HP report seemed prescient coming a year before the Denial of Service (DNS) attack in October 2016 that brought down parts of the Internet in North America.

But hackers don't necessarily need sophisticated methodologies to gain control of devices because in cases of inexpensive IoT products, getting the password is virtually child's play, explains J. Steven Perry in an IBM developerWorks article.

While noting that there are IoT device manufacturers who take security seriously, Perry notes that makers of inexpensive devices are more focused on making it easy to set up their product. Of course, it doesn't take a genius geek to get hold of the standard log-ins.

"Manufacturers continue to use easy userid/password combinations (for example, admin/admin, user/user, and so forth), or make up new, equally simple ones, which then quickly join the ranks of known vectors," Perry explains.

Those pushing industry standards such as embedded cryptography may eventually improve IoT security, he writes. But IoT is still in early days and reality doesn't always match up with ideals. So IoT adoption requires a buyer beware mentality.

"Unfortunately, many IoT devices do not support encryption, which means you need to really do your homework when investigating the devices you intend to use as part of your overall solution to make sure they provide encryption," Perry cautions.

Gartner predicts that IoT security holes will be addressed in the future especially for industries such as healthcare and automotive, which are already heavily regulated.

By 2021, Gartner predicts IoT security will increasingly be driven by the need to comply with industry and government regulation.

"Industries having to comply with regulations and guidelines aimed at improving critical infrastructure protection (CIP) are being compelled to increase their focus on security as a result of IoT permeating the industrial world," according to Gartner.

Growth of the Industrial Internet of Things (IIoT), where industries deploy a range of connected devices to automate business processes, is creating a need for greater security investment.

"Interest is growing in improving automation in operational processes through the deployment of intelligent connected devices, such as sensors, robots and remote connectivity, often through cloud-based services," Contu said. "This innovation, often described as Industrial Internet of Things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology (OT), such as energy, oil and gas, transportation, and manufacturing."

But until 2021, it may still be caveat emptor.