macrovector - Fotolia
As buildings become increasingly smart with IoT sensors and devices to enable more efficient operations and management, this trend is expanding the attack surface and cybersecurity vulnerabilities. Consequently, some channel partners are responding by adding IoT security services to their portfolios.
The market for IT/operational technology (OT) security services in smart buildings will reach $897 million by 2022, growing at a record compound annual growth rate of 37%, according to Frost & Sullivan. "Today, smart devices control building management activities, including temperature control, access and lighting control, communication and safety systems in many enterprises. Such [a] converged IT/OT environment has made enterprises more vulnerable to cyberattacks," said Swetha R. Krishnamoorthi, industry analyst at Frost & Sullivan, in a statement. "With diverse protocols, hardware and software systems, the OT devices controlling building operations provide a heterogeneous environment. Coupled with IT devices and a common network connection, the attack surface expands, providing a thriving ground for cyber adversaries to play on."
In a Forrester Consulting study, almost three-quarters of the 403 technology decision-makers polled said they felt their current security controls and practices are inadequate for unmanaged and IoT devices. The same report also found that investment in IoT security products is insufficient and needs to increase: 68% of surveyed security professionals believe that their level of spending to secure unmanaged and IoT devices is too little, relative to the risks presented by these devices.
BIS Research forecasted that the global IoT security market will exceed $51 billion by 2024. With the growth of the market and more and more IoT devices proliferating in the enterprise, partners are seeing an opportunity to offer security services to help protect against the inherent risks these devices present.
Channel opportunities in IoT security services
With companies expanding their tech footprints by more frequently digitizing 'things,' channel firms are responding and beginning to offer IoT security services, said Seth Robinson, senior director of technology analysis at nonprofit IT trade association CompTIA.
"Cybersecurity, in general, is an area of huge opportunity … even before you consider all the new devices that are coming into the enterprise," Robinson said. The big challenge for organizations and partners alike, however, is figuring out whether the devices will have the same degree of functionality and reliability, which is hard to replicate when they are digitized, he added.
For example, if an HVAC system or lighting system gets hacked, it creates a backdoor into the entire IT infrastructure, Robinson noted.
Partners' IoT security services engagement should begin with technical consulting to educate organizational leaders and their users on what the total cost of ownership will be with IoT devices, Robinson said. Additionally, partners need to explain to customers "where you have to add extra layers of oversight and redundancy" as they digitize things.
Channel firms can then discuss how to secure IoT devices and do backup and business continuity planning, Robinson said.
As a multitude of unmanaged enterprise IoT devices get deployed, companies are looking for technology to assist in detecting and mitigating risk to their organizations, agreed Chris Dobrec, vice president of product marketing at Armis, an IoT security platform provider.
Companies that don't have the in-house expertise are turning to managed security service providers (MSSPs) and IoT security service providers, which offer services in all sectors and verticals, Dobrec said.
In addition to IoT security, many IT teams are asked to take on OT security, regardless of whether they have experience in that area, Dobrec added. Traditionally, most OT networks are run by engineering or ops teams, not by IT, "so there is a significant tools, knowledge [and] process gap that an MSSP can help bridge."
IoT security services vs. other types of security services
Maintaining the functionality and reliability of IoT devices is paramount and no different from traditional maintenance and security, Robinson said. The difference is that, now, organizations have to worry about "new modern upkeep and the security of IoT devices on the whole [network] infrastructure."
Seth RobinsonSenior director of technology analysis, CompTIA
"We're not just talking about the reliability of a sensor getting added to HVAC or lighting; they're tying back to the main infrastructure," Robinson explained.
A lack of standard security controls isn't the only thing standing in the way of securing IoT environments, Dobrec noted. "IoT environments look different than traditional enterprise networks. They're inherently more complicated and fragmented, requiring a different approach to security architecture," he said. "This also makes it much more difficult to have visibility and control over every connected device."
Industry standards and regulations are just as fragmented and obscure, Dobrec added. As security service providers look to add IoT security as an offering, they need tools that provide visibility of all managed, unmanaged and IoT devices on and off the network, he said.
Considerations for entering the IoT security services market
As customers' IT advisors, channel firms should be vetting IoT products from vendors that are now adding digital components because the vendors may not have the core competency to secure them, Robinson said.
IT response to a security incident for a typical enterprise device includes things like patching and use of endpoint agents for troubleshooting and remediation, Dobrec said. These response and remediation methods often don't apply to IoT and OT devices, most of which cannot accept an agent or be patched.
"An MSSP entering this space needs to be prepared for how they will respond to alerts or alarms concerning these devices they may not be familiar with or have existing best practices for," Dobrec stressed.
IoT security brings new vendors onto the scene
As is the case with most emerging technology markets, vendors build IT products that address new problems, Dobrec said. "In partnership with the channel, the most successful vendors provide programs designed to help these partners to penetrate the market and accelerate execution."
Vendors want to enable this ecosystem of IoT security services as the worlds of cybersecurity and traditional security merge, Robinson said. CompTIA has started to talk with new vendors "that may not have been part of the IT [channel] before," he noted.
Consequently, these new vendors may not know how to enable their channel partners to offer IoT security services. This is where there is value in having vendor-to-vendor peer discussions facilitated by organizations like CompTIA, Robinson said. These peer groups "provide that neutral space where people can ask questions and learn from each other, especially as the space is evolving to include new types of companies,'' he said.
The state of IoT security regulations
In an effort to bring broad awareness to the risks associated with the proliferation of IoT devices, members of the U.S. Senate proposed the bipartisan Internet of Things Cybersecurity Improvement Act of 2019. The act advocates for stronger cybersecurity in connected devices.
Recent legislation, such as California's SB-327, was also designed to address security in connected devices, Dobrec noted. "These legislative acts are creating new opportunities for forward-thinking security vendors and their associated channel partners to address those risks on behalf of their customers," he said.
CompTIA would like to see tech vendors and the channel industry take the lead on providing guidance and best practices on IoT security rather than the government, Robinson said.
Because IoT security services are not yet widely adopted, the market for securing unmanaged and IoT devices is young and, therefore, not well defined, Dobrec said.
"However, there is no question that a massive paradigm shift is underway where enterprises are connecting more and more nontraditional devices to their networks," Dobrec said. This trend represents an opportunity for vendors and MSSPs "to expand their offerings beyond monitoring threats associated with traditional devices, like servers, personal computers, firewalls and network infrastructure."