Help Wanted: Cybersecurity Solution Providers
Companies that can provide innovative ways to secure IoT devices are getting the golden ticket from investors. Solution providers should respond by moving cybersecurity up the priority list.
As IoT devices hit the market in record numbers this year, investors are starting to pour funding into companies that can develop cyberphysical security solutions. According to a report from Lux Research, venture capital investment in cyberphysical security startups rose 78 percent to $228 million in 2015. This year, investment funding will rise to $400 million as rapid adoption of IoT raises the threat to products such as connected cars, smart homes and future factories.
“Connected consumer and business products have begun flooding the market, but security has been an afterthought. The world now has to figure out how to secure the multitude of things that have recently become connected,” said Mark Bünger, Lux Research Vice President in a recent statement. Bünger is the lead author of the report, Cybersecurity Venture Investment in Pervasive Computing and in the IoT. “Unlike the hacking of credit card numbers and Hollywood feature films, these attacks have more dangerous consequences and threaten the integrity of critical infrastructure,” he added.
He is not alone is worrying about the risks associated with the thousands of IoT devices already in use in critical industries such as transportation, smart factories and the healthcare industry. This week, a hacker was able to modify several Texas Department of Transportation digital signs in the Dallas area, changing the message from traffic alerts to "go back home" and political content.
The escalating investments in security for IoT make sense, especially when you take a look at the numbers from vulnerability testing of IoT solutions at work today. A report from HP found that 70 percent of the most commonly used IoT devices are vulnerable to attack.
Protecting the IoT Ecosystem
For the solutions provider aiming to secure devices and networks in the IoT ecosystem, the takeaway is clear: providing IoT security is multi-dimensional and requires specialized knowledge and expertise. Using the results from IoT device testing, the HP report outlined these five key areas where IoT security was lacking and the related device vulnerabilities:
- Privacy. More than 80 percent of the devices tested raised privacy concerns. Many devices connect to mobile apps that work alongside the IoT tool and collect some form of personal data such as name, address, date of birth, credit card numbers and even personal health information. That data is often sent or transferred on unencrypted network services.
- Authorization. Among devices, 80 percent tested failed to require passwords of sufficient complexity and length, allowing “1234” or other weak passwords.
- Encryption: Among IoT devices, 70 percent tested did not encrypt communications to the Internet or local network, while 50 percent of their mobile apps had unencrypted communications to the cloud, Internet or LAN.
- Web interface. For the tested devices, 60 percent had security concerns with user interfaces, such as persistent XSS, poor session management, weak default credentials or credentials transmitted in clear text.
- Software. When downloading software updates, 60 percent didn’t use encryptions, and some downloads could be intercepted, extracted and mounted, allowing the full code to be viewed or modified, creating an open door for an attack.
Securing the devices will take multiple steps from not only the manufacturers, but from solutions providers and businesses implementing the tools. HP recommends conducting security reviews of devices and all components, including automated scanning, review of the network traffic, and frequent monitoring of the interactions of the devices with their cloud and mobile app counterparts. A good starting point to identify vulnerabilities is the Open Web Application Security (OWASP) Internet of Things Project, which provides security guidance, testing guides and an IoT framework assessment.