Certification, regulation needed to secure IoT devices

Manufacturers have little incentive to invest in security when some web-connected devices sell for less than $50 each, suggesting that mandatory compliance may be necessary to protect consumer interest.

HONG KONG--With little economic incentive on the manufacturer's part to secure web-connected devices, governments will need to step in and introduce regulations that ensure a minimum level of security.

The growing adoption of Internet of Things (IoT), including in the areas of healthcare and transport, is expected to create new security vulnerabilities that businesses would struggle to control.. And it doesn't help that manufacturers in this emerging market segment see little reason to invest in security, when doing so may cost more than the price of their device, according to executives from Fortinet.

Speaking to journalists Thursday at the security vendor's Fast & Secure Asia-Pacific Media Tour 2015 in Hong Kong, Fortinet's co-founder, president, and CTO Michael Xie said some web-connected cameras today, for instance, cost less than $50 while it might require $5 to secure the device.

Based on this price-point, it would not make much sense for the manufacturer to spend that amount to secure the device when its margins were already low, Xie said.

The lack inherent security in IoT devices was highlighted in a previous ZDNet report, which noted that these systems were particularly vulnerable to security attacks as they were not originally manufactured with security in mind.

A HP study also found 70 percent of IoT devices, including webcams and home security alarms, to be vulnerable to security attacks, with 80 percent of such devices lacking passwords of sufficient complexity.

With IDC and Gartner projecting between 25 billion and 28 billion IoT devices to be installed by 2020, there will be cause for concerns if the security hole remains unplugged.

And with little economic push to ensure their devices were secured, manufacturers might require stronger incentive by way of regulations and mandatory compliance.

Darren Turnbull, Fortinet's vice president of strategic solutions, suggested the need for governments to be involved. He noted that there would come a time when web connected-devices, particularly in the healthcare space, must be sold with security certification.

"So there has to be a regulatory framework," Turnbull said, stressing the need for some degree of confidence by providing IoT devices that were certified to be secured.

The Fortinet executives also pointed to increasing deployment software-defined environments, including software-defined networking (SDN) and data center (SDDC), as another growing security challenge.

Fortinet CTO Michael Xie

Xie explained in an interview with ZDNet that in traditional networks where components such as switches and routers were wired, there were well-established architecture frameworks that outlined where and how firewalls should be connected to switches, be it redundantly or as a single connection.

These guidelines would no longer be effective with SDNs where the these "wires" were now defined by software and where switches could be "relocated" by the stroke of a key, he said. Firewalls, instance, would need to continue to operate the necessary policies to secure a database within a SDN, when that database is virtually relocated to a different city.

"So all that becomes more intangible, and the big challenge is for security to be able to adapt to that kind of architecture," he noted.

Fortinet on competition, market leadership by 2020

And the security vendor is looking to tap potential growth opportunities such as those in the SDN space. According to Xie, Fortinet is aiming to become the market leader in network security by 2020 and looking to do so by investing in key areas, including security analytics, SDN and virtualization, as well as performance through its hardware offerings such as its FortiASIC chip,

The company clocked US$896.5 million in billings for its fiscal 2014, up 31 percent from the previous year. Its Asia-Pacific billings climbed 22 percent year-on-year in second-quarter 2014.

The region will continue to be a significant focus for Fortinet, which operates research labs in China, Japan, Malaysia, and Singapore. Xie alluded to plans for more labs in Asia-Pacific, but stressed that the company would do so cautiously to avoid spreading itself too thin.

He also pointed to Cisco Systems and Check Point as its main competitors, though the CTO noted that Cisco's security business was not growing as quickly as before and future remained uncertain with CEO John Chambers' impending retirement.

Xie further referred to Cisco's penchant for acquiring security companies, which included Sourcefire, Cognitive Security, and Neohapsis, rather than growing its business organically. Noting that this presented its own challenges, he explained: "If you rely on the same people doing the same thing, you quickly go out of date. So they have challenges, especially since security isn't their main focus.

"So I feel optimistic, with our growth rate, that we can beat our competition," he added.

Eileen Yu reported for ZDNet from Fortinet's Fast & Secure Asia-Pacific Media Tour 2015 in Hong Kong, on the security vendor's invitation.