The Internet of Things (IoT) is a reality. Gartner forecasts 25 billion IoT devices in 2021, and other industry sources and analysts predict even larger numbers. Although projections of unprecedented growth are ubiquitous among industry pundits, the efforts to secure this tsunami of connected devices are in their infancy.
The IoT is still relatively new, so it lacks regulations that mandate security. The potential for misuse, however, is massive—and could lead to major embarrassment (and worse) for businesses and consumers. Connected devices have already been utilized to launch massive DDoS attacks on websites, in-home security cameras have been hacked and used to spy on people, and sensitive consumer data has been compromised. Timely testing and securing of IoT is the need of the hour.
IoT systems (including the Industrial Internet of Things [IIoT] and connected machinery) are quite complex from a security perspective, and they pose several contrasting challenges.
Unlike traditional web apps, IoT software is deployed on thousands and even millions of devices and are always on, so vulnerabilities are magnified over a much wider attack surface.
A lot of IoT devices are embedded within equipment that lasts a long time—even decades (automobiles, subsea devices, HVAC systems, and so on). It’s often hard to deploy patches on or upgrade the software contained in these devices as frequently. The likelihood of vulnerabilities persisting in these devices for months to even decades is extremely high.
The large majority of IoT devices run on open source operating systems and on off-the-shelf hardware and networks. The inherent vulnerabilities baked into open source software makes them even more susceptible to attacks.
5G is expected to usher in the IoT era to an even greater extent. With its high bandwidth and speed, it will connect everything and remain always on. This increases the likelihood of an attack, and a public network is always more susceptible to an attack.
Consider IoT systems within the context of medical devices, automotive equipment, and consumer electronics. From a security testing perspective, these mixed-technology deployments have a multitude of potential attack surfaces and technologies that must be protected.
Many vendors can address either one or a few of the IoT areas that need to be secured. Synopsys is the only solution provider with the tools and expertise to manage them all under one roof with systems-level oversight. In the next part of this IoT security blog series, we will explore the best practices of combining a variety of testing techniques, tools, and expertise to secure your complete IoT ecosystem.