To discuss the subject of Internet of Things and the rising risks, Digital Journal spoke with security expert Roy Dagan about the current IoT threat landscape. Roy Dagan is CEO and co-founder of SecuriThings, which provides a security solution that enables IoT service providers to have full, real-time visibility and control of their customers’ IoT solutions.
Digital Journal: How big is the Internet of Things set to become?
Roy Dagan: Current estimates are that there are currently more connected devices than people and that the number will surge to 125 billion by 2030. The real impact will not be measured by the sheer number of devices though. With time, the devices will “disappear” into the background and will be seamlessly integrated into buildings, walls, roads and physical appliances. Instead, we will notice their application and insights; for instance, we will be notified that a certain road is slippery due to rain or dirt, and our self-driving vehicle will automatically adjust its chassis stiffness to overcome this.
DJ: Which sectors are making the fastest and best use of IoT?
Dagan: The industrial sector, smart cities, transportation (both public and private self-driving vehicles), agriculture and physical security/surveillance
DJ: How real are security risks for IoT?
Dagan: Very real. There is a constant stream of new IoT-specific malware aimed at breaching IoT devices, recruiting them to botnets, and using them for denial-of-service attacks or mining cryptocurrencies. More novel threats include the use of specific IoT devices (such as smart locks) for sabotage, terror or extortion, and the use of home devices for breaching the privacy of consumers.
DJ: Are some systems or sectors better protected than others?
Dagan: Not all IoT deployments are the same. Broadly speaking, the IoT landscape is divided into three parts. First is smart home appliances, which communicate to the web via the home router or directly to the cloud. These devices represent the greatest risk to privacy if not secured properly.
Second are Industrial and Enterprise IoT deployments. This includes all the devices that belong to a corporate IT or OT network. This network can be gated behind a firewall and network security means, so it is secured to some extent. In addition, corporations have the know-how and funds to secure themselves. Still some devices communicate directly with the Internet and require additional security.
Third are “Out of the perimeter” IoT deployments: This is the most challenging group of devices to secure, as they are installed in the field and connect directly to the cloud via their IoT service providers. IoT service providers are price-conscious and reluctant to add security mechanisms that will raise the cost of devices or impact their performance. They also lack the skilled security manpower to manage it. Today such deployments lack visibility and enforcement capabilities, which is what SecuriThings can provide.
DJ: Where are the main threats coming from?
Dagan: Most of the attacks to date have been conducted by small-time cybercriminals, amateur hackers and hobbyists, with motivations ranging from the desire to showcase their prowess to fighting turf wars or thrashing business competitors and media. However, we don’t believe it will remain this way for very long. Professional cybercriminals have already started to realize the potential and nation-state hackers will soon follow.
DJ: What can businesses investing in IoT technology do to protect themselves?
Dagan: They need to act with security in mind and deploy security solutions alongside the IoT solutions, rather than as an afterthought. They need to ensure that the end clients are well secured and receive a high quality of service without risking their security or privacy.
DJ: How about future proofing? What are the key steps here?
Dagan: The key steps are to keep updating the technology to secure new devices, platforms and protocols. This requires extensive R&D on our end but is absolutely necessary to ensure that our security solutions are up to date. One example of this is the move towards edge computing, which will require that we collect the data, analyze it and act on the device level.
