Regulation for IIoT is on its way – but is it enough?

Two of the biggest technology trends today - IoT (Internet of Things) and M2M (machine-to-machine) communications - are changing the business world beyond all recognition.

Companies of all sizes, from major manufacturers to small-and medium-sized services companies from all sectors, now have a golden opportunity to derive new revenue streams from managing and servicing their customers’ equipment remotely.

According to leading industry analysts, the IoT market already accounts for hundreds of billions of dollars in 2017 – a figure that is set to be in the trillions by 2021. But new research reveals IoT is also a major headache for enterprises everywhere because of limited information and inadequate security measures. Legislators in the U.S. and in Europe are working to bring in standards compelling designers to do more to make their devices secure.  But the signs are that even then they may be limited in scope. The good news at least is that remote connections can be reliably secured so that M2M communications remains private and confidential using virtual private networks (VPNs).

Industry analysts IDC have forecasted the growth in M2M communications spending will reach $1.4 trillion by 2021. One of the biggest markets is the U.S. government. Between 2011 and 2015, government spending on sensors increased almost three-fold.

It’s calculated that by the end of 2017, the U.S administration and its suppliers will be handling IoT gadgets and devices worth over $800 billion.

The accelerated growth of IoT is also a security concern for EU legislators, where connected devices are expected to increase from 1.8 billion in 2013 to around six billion by 2020.

Top Industrial IoT (IIoT) applications in 2017 are manufacturing operations, freight monitoring and production asset management. Other major M2M investment areas are electricity, gas and water and smart building technologies. Nascent but rapidly growing areas of IIoT development include airport facilities automation, electric vehicle charging and in-store contextual marketing.

So rapid has the innovation and uptake of IIoT devices been by enterprises that regulatory standards development has failed to keep pace.

Companies are increasingly apprehensive that the lack of security regulation for IIoT devices could pave the way for countless hacks, breaches and privacy exploits as occurred with the Mirai botnet of 2016.

According to a survey of more than 600 IT Pros by ForeScout Technologies, a huge majority (82%) of enterprises have concerns over passing security audits as they are unable to identify all IoT and operational technology (OT) devices on their networks.

While such lack of information and security inconsistencies persist, the need for regulation grows ever more urgent.

Increasing reliance on a new generation of IP-connected machines has caused many companies to fear their internet-dependent products and industrial tools may be wide open to attacks from hackers.

In 2016, the European Commission announced proposals for new legislation to tackle the risk of cyber attacks against IP-connected devices.

The plan is to compel IIoT equipment manufacturers to comply with a set of rigorous security standards. This would include subjecting devices to diverse certification processes so that complete data privacy may be assured.

The Commission has identified a key issue with IoT. Officials say it is important device manufacturers do not simply focus on one component. They must also take the network and the cloud into account. The plan is to encourage manufacturers to come up with a way to label internet-connected devices to show they have been certified to meet security criteria.

Twelve months later, the U.S. has joined in on the quest for standards with the publication of the Internet of Things Cybersecurity Improvement Act of 2017.

While acknowledging the enormous benefits IoT brings to the U.S. economy, the bill seeks to address some of the security flaws that make smart devices vulnerable to outside attack.

Unlike its all-inclusive European counterpart, the U.S. bill restricts itself to proposing a set of standards governing IoT equipment sold to U.S. central government and its federal agencies.

The bill stipulates vendors of IP-connected equipment to the U.S. government must ensure products conform to industry security standards and can be patched to allow them to be protected against new emerging threats.

At the same time, it calls on the government to keep a central inventory of all IoT devices in use by federal agencies, expressly forbidding devices with hard-coded passwords or other known security vulnerabilities.

The regulation is deliberately light-touch to allow federal agencies the flexibility to gain approval to purchase non-compliant devices provided they have other controls, like network segmentation, in place. There is also protection for researchers engaged in ethical hacking to alert manufacturers to undiscovered security flaws.

The measures to enforce better security in IIoT devices and M2M communications proposed in the EU and U.S. are a start. Yet, no one knows how long will it take for them to be ratified or if they will do enough to eliminate IoT vulnerabilities entirely.

In the meantime, the best way to protect IIoT remote connectivity is via Virtual Private Network (VPN) software. Enterprises are advised to adopt a three step defense approach, starting with a full understanding of what every device does. Next, apply security checks to each individual connection and ensure every IIoT device can be managed remotely. Finally, implement hardware/software network certification and centrally managed remote configuration of devices.

In summary, the rise in IIoT and M2M communications implementation in the enterprise has been meteoric.  Regulation has been left playing catch up.

Regulation aimed at improving the security measures being built into devices are at last taking shape on both sides of the Atlantic, even if there are serious question marks over how long it will take and whether they will go far enough.

In the meantime, managed VPN software remains the most reliable way to protect M2M connections by encrypting data transferred between devices so that it remains private and secure.