2018 was the year of realisation for all players in the IoT ecosystem, including consumers, that security cannot be neglected. This is especially the case for devices that gather and store personal data. Both data security and data privacy will take center stage in 2019. After GDPR, we expect the US will also introduce unified regulations to protect citizens’ data. India is also introducing similar legislation in its IDPR.
Advanced IoT security tools such as Blockchain and AI are capable of securing data at rest and data in flow respectively. However, 2019 will see a slow transition from traditional to advanced IoT security tools with a niche adoption rate.
We expect a significant increase in overall investment and capital expenses in IoT security industry towards securing IoT products, platforms, the cloud, and services.
The following are the top 10 trends and prediction of 2019 :
Threat Escalation in 2019
- Collaboration and more partnership among hackers and cybercriminals: Hackers have been categorized into different groups such as traditional hackers, ideological hackers, state-sponsored attackers and hackers-for-hire. Going forward we expect these groups will start to overlap and eventually collaborate for ease of operation. Furthermore, we also expect to see some strategic alliances among these groups of hackers which will take advantage of each other’s products and services.
- Attack-as-a-service (AaaS): Malware-as-a-service and Ransomware-as-a-service are not new concepts. Their adoption was very niche but highly successful. In 2019, we are expecting malware, specifically ransomware, to increasingly use the remote desktop protocol as an entry point for infection. Furthermore, hackers may create and sell pre-attack packages of malware, exploits, botnets, and other services, which will give cybercriminals the option to choose various off-the-shelf products. Irrespective of cybercriminal experience, they can easily launch attacks with these pre-attack packages.
- ML as the next weapon: In the past few years, we have seen malware using evasion techniques to bypass machine learning engines. One of the recent examples from 2018 was Plucky ransomware that used InnoSetup to package the malware and avoid machine learning detection. Hence, bypassing the machine learning is already on the criminal to-do list. By the end of 2019, we expect hackers to leverage advanced machine learning tools to automate target selection by exploring and exploiting the vulnerabilities to find less secure systems.
- Data theft is the new cash-cow for Hackers: 2018 had landmark examples for the biggest data breach in the history of mankind, such as Facebook (87+ Million), MyHeritage (92 Million), Under Armour (150 Million), and allegedly 1.1 Billon records from Aadhaar Program (India's unique identity mission project). In the past few years, both the digital transformation and IoT has pushed more corporate and personal data to the cloud. In 2019, we expect a significant increase in data breaches, especially at the cloud level.
- Smart home devices and edge devices will be more vulnerable to attack in 2019: Smart home devices are easy targets to attack and deploy ransomware as they record and store personal data and are, generally, less well protected. Furthermore, edge devices are equipped with limited resources, mostly running on elementary operating systems. Hence, these IoT edge devices are unable to provide any self-defence features, such as the creation of a secure zone to protect stored data and embedded software. Edge devices were found to be vulnerable to sync attacks, false data injection, passive attacks, and malicious nodes.
Security Solution to Secure IoT Ecosystem in 2019
- Collaboration and more partnerships among cybersecurity solution providers: Cyber Threat Alliance is one of the best examples of these collaborations that formed to improve the cybersecurity of the global digital ecosystem. These collaborations bring unique resources that bundle the talents and skills of IoT security companies to bring their best solutions together to create more concerted offerings that can not only fight back against malware and botnets but even learn and evolve.
- Multi-factor authentication and device identity intelligence: Identity is a fundamental component in securing IoT. Secure identification between the device and human or vice versa was one of the past hurdles. Securing identity between device-to-device interactions and avoiding malicious duplicity is the key to securing IoT in 2019. The identity model has shifted from user-centric in traditional IT systems to machine-centric for IoT systems. Furthermore, multifactor authentication and identity intelligence by complementing each other will become the preferred methods to provide IoT security in 2019.
- ML as Shield: In the last year, the adoption of machine learning in IoT security has increased significantly. Currently, machine learning solutions are often used to monitor activity and act if unusual behaviors are detected. Moreover, machine learning will not only process and analyse data much quicker than traditional tools but also will provide predictive analysis of threats and attacks. This means that breach detection times can be reduced significantly, minimizing the potential disruption. It also means that the information security team can prioritize work more effectively. However, the scope for AI will go beyond monitoring user activity on the system. AI as an IoT security tool will not reach its full potential in 2019, but its use will accelerate.
- Chip to cloud, security embedded in hardware: We have already seen the adoption of IoT hardware security features such as a hardware security modules (HSM), Physical Unclonable Function (PUF) and TPM 2.0 (Trusted Platform Module). However, embedding security at the MCU-level to create a secure zone that can extend from the chip to the cloud level by integrating players from both ends of the IoT value chain was one of the most promising solutions. Security at the MCU-level will help solve cloning and counterfeit issues and will also establish secure authentication along with a unique identity. Semiconductor players like Microchip, NXP, Renesas, Cypress, STMicroelectronics, and Texas Instrument have already launched different versions of this product type.
- Increasing demand for security personnel in governments and private sector: GDPR ensured that all organizations directly or indirectly involved with data management concerning EU citizens are obliged to comply with the regulations, irrespective of where they are based. This has created a ripple effect of demand for skilled security personnel among both government and private sector which, in turn, has resulted in increased organizational budgeting for staff and training on data protection. We expect this trend to multiply in 2019.