IoT evolution:
Security trails deployment

In this section:

85% of organizations are considering, exploring or implementing an IoT strategy.1

88% of organizations lack full confidence in the security of their business partners' connected devices.2

Bottom line: The IoT's potential impact on your business is significant — as is the risk.

In 1999 Kevin Ashton, an assistant brand manager at Procter & Gamble, delivered a presentation about wireless connectivity with an intriguing title: "Internet of Things." Sketching out a futuristic scenario in which computers "knew everything there was to know about things," Ashton predicted that the IoT “has the potential to change the world, just as the Internet did. Maybe even more so."3

A decade and a half later, the digital shift that Ashton imagined is well underway. Organizations are using the IoT to glean new operational insights, grow revenues, reduce costs, and increase productivity.

This extensive ecosystem of interconnected devices, operational tools, and facilities holds much promise for connecting people, processes, and assets in ways that profoundly impact how we live and work.

For example, in the transportation sector, companies are using sensors to monitor movements of cargo, inventory, and delivery vehicles to improve efficiencies and reduce costs. Using information collected from bar codes, RFID tags, or other embedded sensors, businesses can manage and optimize delivery routes and track vehicle performance. Sensors also enable business to react quickly to environmental or other threats, such as a dramatic temperature change in a refrigerated truck.

85% of global organizations are considering, exploring or implementing an IoT strategy.

B&P Enterprises — an emergency response specialist that operates 200 vehicles and over 400 other pieces of construction and marine equipment across the United States — used a fleet management solution to decrease DOT violations by 80% and save $86,000 annually on insurance.4

In the agriculture sector, OnFarm, a California-based startup, has built an IoT platform that collects data from multiple types of farm equipment. Using IoT-connected equipment, such as irrigation systems, OnFarm has been able to help growers improve crop management.5

AT&T's State of IoT Security survey finds that 85% of global organizations are considering or exploring an IoT strategy, with one-quarter already piloting or implementing IoT-related projects. Connected devices now number in the thousands for two-thirds of the respondents, and almost one-third say they have more than 5,000 connected devices across their organization.

These deployments are contributing to a rapidly growing number of connected devices that is expected to swell to anywhere between 30 billion6 (excluding smartphones) and 50 billion7 (including smartphones) by 2020.

The impact is already being felt across industries and with consumers alike. Organizations are widely deploying the IoT to become more efficient in customer-facing, back-office, and supply chain operations.

Beyond cost savings, businesses are beginning to tap into the IoT for new revenue models, often from products, platforms, and services that enable smart homes, offices, and supply chains. For example, by automating and streamlining common tasks performed by security systems, thermostats, electric meters, and lighting, devices for the digital home are already replacing many labor-intensive chores and offering unprecedented convenience.

IoT deployments are on the rise

"Organizations need to infuse security expertise early into the process so that the IoT is architected for security. We’ve already seen the consequences when that doesn’t happen."

Jason Porter
Vice President, Security Solutions
AT&T

Collaboration is key.

A lack of foundational security increases risk

As IoT deployments increase in both number and scope, one concern rises to the top of the CEO's agenda: security. Just 10% of respondents to the AT&T survey are fully confident that their connected devices are secure, and only 12% are highly confident about the security of their business partners' connected devices.

10% of organizations are fully confident that their connected devices are secure.

Given that backdrop, it's no surprise that more than two-thirds (68%) of the respondents say their companies plan to invest in IoT security in 2016. Half of those organizations are earmarking at least one-quarter of their security budgets toward the IoT.

Even though these organizations plan to invest in IoT security, they may have some catching up to do. At many organizations, IoT devices are being deployed without proper security measures. This shortcoming is in part because many vehicles, shop-floor equipment, and other increasingly IoT-enabled devices were not built with Internet connectivity — or the requisite security — in mind.

IoT grabs a share of IT security budgets.
Methods for identifying connected devices vary.

For this reason, the IoT ecosystem has become a digital Petri dish for hackers and other cybercriminals eager to probe for new weak spots. Over the past two years, AT&T's Security Operations Center has logged a 458% increase in vulnerability scans of IoT devices.8

AT&T has logged a 458% increase in vulnerability scans of IoT devices in the last two years.

In many cases, IoT exploits mimic traditional cyberattack methods. In New Zealand, hackers reverse engineered the firmware of a popular line of home security cameras, accessed the cameras' IP addresses from a file-sharing website, and commandeered the cameras' streaming video links. The company that made the device allowed its customers' login credentials to be transmitted unencrypted over the Internet, leading to hundreds of camera feeds being accessed and posted online.9

The IoT attack surface is magnified by scale, distribution, and the broad spectrum of IoT endpoints, from the very simple to the highly sophisticated. It's possible that some of these devices are not even being monitored. Nearly half of the AT&T survey respondents admit they are merely estimating the number of connected devices they have. Just 14% have a formal audit process in place, while an additional 38% use device management systems or software to identify connected devices.

The stakes climb even higher as these devices are interconnected by the thousands — and begin to bridge the digital and physical worlds.

The business community is all too familiar with the financial and reputational damage that a cyberattack on corporate databases can cause. With IoT devices, however, those risks can be transferred into the physical realm. The ability to compromise or manipulate devices that control critical systems carries far more severe consequences. For example:

Cyberattackers inflicted “massive damage” on a blast furnace at a German steel mill in late 2014 after a phishing attack allowed them to steal employee login information. Germany's Federal Office for Information Security says the attackers exploited that information to access the plant's office network and production systems. They subsequently disrupted operations to such a degree that a blast furnace could not be properly shut down.11

"With the IoT, the information associated with an individual device may not be as important as the role the device plays in the IoT ecosystem. If the device were to fail or be manipulated, what are the impacts?"

Jen Morovitz
Director, Technology Security
AT&T

Security spotlight: IoT-connected car

Security spotlight: Connected car

What it is: IoT-connected cars bring value by improving safety, reducing operational costs, and streamlining traffic flow. A variety of in-vehicle IoT sensors gather performance data to monitor maintenance schedules, troubleshoot problems, and analyze usage. Other sensors, paired with voice controls and mobile apps, add functions such as navigation and a variety of infotainment features.

AT&T has alliances with nine top automakers. More than 10 million connected cars are expected on the AT&T Network by the end of 2017.

Security implications: The potential for a hacker to unlock and enable a car's ignition or remotely take over mission-critical systems — brakes, steering, transmission — has caught the attention of consumers, manufacturers, and legislators.

With the added possibility for the loss of personal information, such as current location or driving history, automakers and their partners are doubling down on efforts to improve security at all entry points.

Potential security safeguards: Look at all devices and sensors within the vehicle and identify possible weak points. Separate critical safety systems and engine control units so that they cannot be accessed through infotainment and tethered device connections. Build in multiple layers of security controls, including encryption, to protect mission-critical functions.

Restricting the interdependence of connected systems will help reduce cascading errors that can create a multitude of unrelated and potentially hazardous vehicular issues.

Telling stat: Reduced rates of collisions and theft thanks to in-vehicle IoT devices could lower insurance premiums by as much as 25%.10

Aircraft cockpit avionics systems and on-board computers.

"It's essential to architect IoT devices with security in mind. To minimize exposure to risk, it is important to isolate critical IoT devices and data from other communications."

Chris Penrose
Senior Vice President,
Internet of Things Solutions
AT&T

The U.S. Government Accountability Office warned in a 2015 report that someone could potentially use a laptop to access aircraft avionics systems and take control of an aircraft's on-board computers.12 At around the same time, a cybersecurity researcher admitted to the FBI that he had hacked into in-flight entertainment systems aboard aircraft 15 to 20 times between 2011 and 2014 — at one point, issuing a climb command to the aircraft on which he was traveling.13

Security must be the bedrock of IoT development

The risk to human safety adds an entirely new level of complexity to your information security strategy. That's why security must be the bedrock of IoT development and deployment, not an afterthought. The magnitude of the IoT is so significant that it's important to anticipate security needs and not react to new devices as they're deployed.

This approach will likely require rethinking traditional security governance models. In the AT&T survey, nearly two-thirds of respondents say IoT business strategy is shared across IT and business units, but IoT security at the majority of organizations (55%) is still managed through the IT department. Just as the business strategy is shared, so must security responsibilities be extended beyond the IT team.

Know the term:

Machine-to-machine (M2M)

Any direct interaction over any network of electronically enabled devices, with no human involvement in the communications loop.

Operational improvements are needed as well. Three-quarters of survey respondents say they analyze security logs and alerts from connected devices at least daily, with 34% doing so in real time. Real-time analysis will become increasingly important, but harder to achieve, as the volume of connected devices and machine-to-machine data grows. Companies will need to determine the right frequency for monitoring device activities based on their function and value.

Many different standards initiatives are underway for IoT security, governing everything from application development to device identity verification. Although it's important to engage with the associations representing your specific industry, you can't afford to wait for standards to take hold. The steps you take now to secure IoT devices will have a direct impact on your ability to do business with customers and partners in the IoT economy.

"When you're making health care decisions based on analytics coming from connected medical devices, corruption of that data could lead to catastrophic consequences."

Todd Waskelis
Executive Director,
Security Consulting Services
AT&T Consulting

Industrial and manufacturing IoT-connected devices

Security spotlight: Industrial / manufacturing

What it is: The value IoT-connected devices offer industry and manufacturing is the improvement of overall production and efficiency. The proliferation — and connection — of sensors, actuators, and other devices on industrial machinery is at the heart of a transformation sometimes labeled industry 4.0 or smart manufacturing.

Connected IoT devices transmit data, such as equipment operations, environmental conditions, and maintenance needs. Sensors measure and report machine tool tolerances, fluid temperatures, and other critical data. They can also warn when equipment is moving close to operational parameters, prompting preventive maintenance or shutdowns to avoid costly repairs and unanticipated disruptions.

AT&T connects more than 25 million connected devices worldwide.

Security implications: Care must be taken to protect data about manufacturing operations and to prevent unauthorized access to interconnected networks. Industrial sabotage, the targeted disruption of processes or damage to products by competitors, often has strong financial backing and is technologically sophisticated. Cybercriminals also can operate as modern-day burglars by hacking into systems to unlock a facility and steal property.

Of particular concern: threat scenarios where IoT-connected robots or other remotely actuated machines are compromised, potentially resulting in manufacturing errors, equipment or parts damage, or even employee harm.

Potential security safeguards: Understand what IoT-connected devices are doing and how they are communicating. Partition the networks of major industrial processes to isolate and prevent a cyberattack spreading throughout the organization. Establish authentication/ authorization controls throughout the ecosystem, with steps to securely patch and update software and firmware. Implement detective controls to identify and contain security breaches as they occur — rather than six months after a pernicious attack.

Telling stat: 35% of U.S. manufacturers are using data generated by smart sensors to enhance their manufacturing or operating processes.14