IoT Security Spending Projected To Reach $1.5 Billion by End of 2018

According to a recently released Gartner report security spending for IoT devices will reach $1.5 billion in 2018, up from $1.2 billion in 2017 -- a 28 percent increase, the analyst firm said.

And the firm expects that number to reach $3.1 billion by 2021, according to the report.

"In IoT initiatives, organizations often don't have control over the source and nature of the software and hardware being utilized by smart connected devices," Ruggero Contu, research director at Gartner, is quoted as saying. "We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organizations will look to increase their understanding of the implications of externalizing network connectivity."

Gartner suggested that what is needed is "security by design."

Organizations may have gotten to the point where they need tools to tell them what they have and how devices work, because of the ad hoc way business units may have deployed IoT.

IoT devices may have been acquired and deployed by vertical business units. Operations may have found one type of IoT solution while manufacturing and information technology went in other directions. In terms of overall architecture, who knows what is where? With industry or regulatory standards only starting to emerge, what security technology is even available for the devices an organization already has deployed?

An HP Internet of Things research study from 2015 found that at that time "80 percent of devices along with their cloud and mobile application components failed to require passwords of sufficient complexity and length."

HP also reported that "70 percent of devices used unencrypted network service."

The HP report seemed prescient coming a year before the Denial of Service (DNS) attack in October 2016 that brought down parts of the Internet in North America.

But hackers don't necessarily need sophisticated methodologies to gain control of devices because in cases of inexpensive IoT products, getting the password is virtually child's play, explains J. Steven Perry in an IBM developerWorks article.

While noting that there are IoT device manufacturers who take security seriously, Perry notes that makers of inexpensive devices are more focused on making it easy to set up their product. Of course, it doesn't take a genius geek to get hold of the standard log-ins.

"Manufacturers continue to use easy userid/password combinations (for example, admin/admin, user/user, and so forth), or make up new, equally simple ones, which then quickly join the ranks of known vectors," Perry explains.

Those pushing industry standards such as embedded cryptography may eventually improve IoT security, he writes. But IoT is still in early days and reality doesn't always match up with ideals. So IoT adoption requires a buyer beware mentality.

"Unfortunately, many IoT devices do not support encryption, which means you need to really do your homework when investigating the devices you intend to use as part of your overall solution to make sure they provide encryption," Perry cautions.

Gartner predicts that IoT security holes will be addressed in the future especially for industries such as healthcare and automotive, which are already heavily regulated.

By 2021, Gartner predicts IoT security will increasingly be driven by the need to comply with industry and government regulation.

"Industries having to comply with regulations and guidelines aimed at improving critical infrastructure protection (CIP) are being compelled to increase their focus on security as a result of IoT permeating the industrial world," according to Gartner.

Growth of the Industrial Internet of Things (IIoT), where industries deploy a range of connected devices to automate business processes, is creating a need for greater security investment.

"Interest is growing in improving automation in operational processes through the deployment of intelligent connected devices, such as sensors, robots and remote connectivity, often through cloud-based services," Contu said. "This innovation, often described as Industrial Internet of Things (IIoT) or Industry 4.0, is already impacting security in industry sectors deploying operational technology (OT), such as energy, oil and gas, transportation, and manufacturing."