Zero Trust Security Is The Growth Catalyst IoT Needs
- McKinsey predicts the Internet of Things (IoT) market will be worth $581B for ICT-based spend alone, growing at a Compound Annual Growth Rate (CAGR) between 7 and 15% according to their study Internet of Things The IoT opportunity – Are you ready to capture a once-in-a-lifetime value pool?
- By 2020, Discrete Manufacturing, Transportation & Logistics and Utilities industries are projected to spend $40B each on IoT platforms, systems, and services according to Statista.
- The Industrial Internet of Things (IIoT) market is predicted to reach $123B in 2021, attaining a CAGR of 7.3% through 2020 according to Accenture.
IoT is forecast to be one of the tech industry’s fastest-growing sectors in the next three to five years, as many market estimates like the ones above illustrate. The one factor that will fuel IoT to rapidly grow to new heights or deflate demand just as quickly is security across the myriad of endpoints.
Zero Trust Security (ZTS) is the force multiplier IoT needs to reach its true potential and must be designed into IoT networks if they are going to flex and scale for every endpoint and protect every threat surface.
IoT Needs A Security Wake-Up Call Now
Industrial Control Systems (ICS) provides a cautionary tale for anyone who thinks enterprise networks don’t need endpoint security and the ability to control access from any point inside or outside an organization.
Chemical, electricity, food & beverage, gas, healthcare, oil, transportation, water services and other key infrastructure industries have relied on ICS applications and platforms for decades. They were designed to deliver reliability and uptime first with little if any effort put into securing them.
However, the glaring security gaps in ICS provide the following lessons for IoT adoption now and in the future:
- Only digitally enable an endpoint that can verify if every person or device attempting access is authorized, down to the risk score and device level. ICS endpoints were added as fast as utility companies and manufacturers could enable them with speed of deployment, reliability measurement, and uptime being the highest priorities. Security wasn’t a priority with the results being predictable: now many nations’ power grids are vulnerable to attack due to this oversight. With IoT, utilities need to start designing in security to the sensor level using Next-Gen Access as the foundation, leveraging Identity-as-a-Service (IDaaS), Enterprise Mobility Management (EMM) and Privileged Access Management (PAM) to enable Zero Trust strategies organization-wide. Next-Gen Access calculates a risk score predicated on previous authorized login and resource access patterns for each verified account. When there is an anomaly in account credentials’ use, users are requested to verify with Multi-Factor Authentication (MFA).
- An ICS doesn’t learn from security mistakes, while NGA gets smarter with every breach attempt. A typical ICS is designed to make operations more efficient and reliable, not secure. Even with many endpoints of an ICS being digitally-enabled today with device retrofitting common, security still isn’t a priority. Instead of digitally enabling IoT sensors purely for efficiency, Next-Gen Access needs to be designed in at the sensor level to protect entire networks. Zero Trust Security’s four main pillars are to verify the user, validate their device, limit access and privilege, and learn and adapt. Machine learning is relied on for learning and adapting in real-time to access requests and threats.
- ICS assumes no bad actors exist while NGA knows how to stop them. Bad actors, or those who want to breach a system for financial gain or to harm a business, aren’t just outside. Verizon’s 2017 Data Breach Investigations Report finds that 25% of all breaches are initiated from inside an organization and 75% outside which makes NGA essential for attaining Zero Trust Security on an enterprise level. Of the ICS being protected today, the majority are reliant on trusted and untrusted domains, a security technology over two decades old. When organized crime, state-sponsored hacking organizations or internal employees can quickly compromise privileged credentials, entire utility systems are at risk.
- Replacing security-obsolete ICS with IoT-based systems that have NGA designed in to flex for every person and device shuts down physical and digital attack vectors organization-wide. The strategic security plan for any IoT-enabled enterprise has to prioritize faster automated discovery, configuration and response if it’s going to survive against highly orchestrated attacks. NGA has proven effective at thwarting unauthorized privileged credential attacks while continually learning from usage patterns of authorized and unauthorized users.
ICS have some of the most porous, incomplete security perimeters of any enterprise systems. 63% of all ICS-related vulnerabilities cause processing plants to lose control of operations, and 71% can obfuscate or block the view of operations immediately according to the Dragos Industrial Control Vulnerabilities 2017 in Review. ICS needs an overhaul starting with Next-Gen Access, enabling Zero Trust Security across every employee and device that forms an organizations’ security perimeter.
Bain & Company released a study on the price elasticity of IoT-enabled products by security level. They found that 93% of the executives surveyed would pay an average of 22% more for devices with better security. Taken together, Bain estimates that improving security solutions for these devices could grow the IoT cybersecurity market by $9B to $11B.
The speed at which manufacturers are building smart, connected products accentuates the need for Zero Trust Security powered by Next-Gen Access from their inception. Security as an afterthought won’t be effective at the scale and pace of IoT.