Service Providers Can Take Control of IoT Security
Back in 2017, Gartner estimated that there soon would be 20.4 billion IoT devices with enterprises deploying almost 8 billion of them. New and innovative applications are being created every day and with great power comes great responsibility. IoT ecosystems today are the Wild West of hacking, and service providers are best positioned to help stop the madness.
A recent Shared Assessments survey said that most companies believe IoT devices could wreak havoc on their own organizations, and they are right. Security flaws can leave millions of devices vulnerable, creating pathways for cybercriminals to exfiltrate data -- or worse. For example, a July 2018 report from security vendor Armis disclosed that nearly 500 million IoT devices were susceptible to cyber attacks at businesses worldwide because of a decade-old web exploit. With large-scale IoT attacks like the Dyn attack taking down access to the Internet for several hours on much of the East Coast, or the attack on Deutsche Telekom routers, large-scale effects of IoT attacks are and will continue to be a major issue for the ecosystem.
So, who is responsible to prevent this blight on the Internet? Everyone and no one. Radware asked over 1,000 enterprises in its 2017-2018 Global Application & Network Security Report and the results were enlightening. 34% of the respondents believe the device manufacturer is responsible, 11% believe service providers are, 21% think it falls to the private consumer, and 35% believe business organizations should be liable. In other words, there is no consensus.
Now let's look at who is capable of fixing this. The consumer doesn't have the knowledge or skills. The business owner likewise has little knowledge and certainly in this world of global IT security talent shortages can't hire the skills. The device manufacturers are uncoordinated, far too numerous to control and have little incentive to spend additionally to develop and incorporate software features into low-cost probes, telemetry devices, connected toasters, etc. Who does that leave? The service providers. The same service providers who have built successful multi-hundred-million-dollar cloud security service businesses (think of Akamai or Level 3/CenturyLink) to protect enterprise customers.
Now we are entering a new wave of investment by service providers. 5G networks are just being rolled out and it's another chance to ask the question: How can wireless service providers more fully participate in the value chain? For one thing, they can use new architectures like 5G and network slicing to create specific security environments ideal for IoT. Other companies in the IoT ecosystem -- device makers, software platform providers, etc. -- can't do that.
In 2000, we fretted about whether service providers should have walled-garden content or provide it over the top (OTT). Service providers couldn't fill the same need with the variety of applications that Google Play and Apple's App Store had available and thus they ceded the apps market to Google and Apple.
Nearly 20 years later, service providers have another chance to jump into the value chain on IoT. Now, we know there is demand for IoT security which is an application service that service providers know how to deliver (and have been successfully doing it!). This is a much better situation than in 2000, but only if service providers are willing to mobilize.
It's important to note here that several different groups are coming to the same conclusion. In fact, the Japanese government is so concerned about a large-scale IoT attack disrupting the 2020 Tokyo Olympics, they just passed a law empowering the government to intentionally identify and hack vulnerable IoT devices. The Japanese government asked service providers to secure the list of devices identified as vulnerable.
Service providers need to remember the sting of losing out to the apps providers 20 years ago and recognize the opportunity in front of them. The GSMA's most recent analysis of the IoT opportunity is encouraging. They said that if you include everything from 3GPP Release 14 onward (NB-IoT and LTE-M), the service provider opportunity for IoT could be as large as $10 billion in revenue by 2025. And that estimate just includes the connectivity business -- the potential upside in the services market will be a much, much larger.
Point being, service providers need to mobilize today and start defining the security SLAs they could offer over 5G IoT. In addition, they need to do the hard work of determining how much of the IoT market they could capture as a security service and how they would package this with their existing IoT platform offerings. Based on that, they can estimate the ROI of the investment and determine the priority of the rollout.
As an industry, let's not let history repeat itself and in 2039 be asking ourselves how service providers missed another window to capture value in emerging wireless services.
— Mike O'Malley, VP of Carrier Strategy, Radware