IoT cybersecurity: How trust unlocks value

　　The Internet of Things (IoT) opens up tremendous possibilities for transforming work and everyday life. In short, the IoT is the intersection of the physical and digital worlds, where various devices harness the power of interconnection to provide a seamless experience for consumers and businesses.

　　However, the IoT is currently at a crossroads. Will it continue to provide incremental value in isolated clusters, or will it unlock tremendous value as a fully connected IoT ecosystem? The answer to this question depends on the transition to a truly integrated IoT network within and across vertical industries.

　　Core obstacles must be overcome to achieve this network. Chief among these is cybersecurity risk, which hinders the trust needed to integrate IoT applications and networks. The solution lies in the convergence of IoT and cybersecurity - combining any technical, functional or commercial element of the IoT with cybersecurity to form a new, integrated whole. We should not underestimate the importance of this breakthrough for critical applications (e.g., automotive, healthcare, and smart cities).

　　This paper explores the nature of this convergence, the opportunities it will provide, and the challenges involved in making it happen. Integrated solution providers can make transformative adjustments to integrate today's fragmented IoT and cybersecurity ecosystems. Through strategies and partnerships designed to converge IoT and cybersecurity, industry and consumers alike can realize the extraordinary possibilities of the future.

　　IoT and Cybersecurity Overview

　　A common question asked by global technology leaders is: What are the key factors holding back large-scale IoT adoption today? Assuming that the convergence of IoT and cybersecurity could unlock tremendous new value, we explored the IoT space to better understand the barriers to widespread IoT adoption and how to overcome them.

　　Across all verticals, IoT adoption continues to expand and has shifted from isolated clusters of IoT devices to connected IoT environments. This is particularly evident in environments such as the factory floor and automotive. However, the IoT has not yet scaled as quickly as expected, nor has the IoT industry achieved a truly seamless experience where devices move in and out of the physical environment and are identified, trusted and managed without separate (sometimes manual) authentication steps.

　　The proliferation of connected devices, and the increased complexity of IoT use cases, creates opportunities for multiple players in the value chain. But it also brings with it the risk of vulnerability with potentially catastrophic consequences. Considering the IoT's control over physical operations, many IoT systems have a higher probability of risk compared to enterprise IT. Therefore, a seamless IoT experience requires a foundation of digital trust, functional convergence of IoT and cybersecurity, and early cybersecurity integration during the architecture design and pilot phases.

　　Traditional approaches to IoT security do not support this secure, seamless experience. IoT buyers report that there are few layers of security embedded in the design of today's IoT solutions. This can lead to vulnerabilities that require regular over-the-air updates and patches that cannot be reliably implemented. Relative to enterprise IT, solution design in the IoT space is relatively lagging behind in terms of security assurance, testing and validation.

　　After testing assumptions about the importance of cybersecurity and IoT convergence with industry leaders, McKinsey made another important finding. There is a significant gap in thinking between IoT buyers and suppliers regarding expected IoT adoption, digital privacy and trust issues, and delays caused by siloed decision trails. Understanding these facts will help future technology leaders, both buyers and suppliers, understand the mindset of the other and move toward unlocking value.

　　IoT buyers believe they are not as optimistic about achieving a seamless experience soon as IoT solution providers. Even in the early stages of IoT implementation, they have encountered obstacles. the main concerns of IoT buyers are interoperability, cybersecurity and installation complexity.

　　IoT solution providers severely underestimate the importance of digital trust compared to buyers; only about 30 percent of providers believe digital trust is critical in an IoT solution, compared to about 60 percent of buyers. But IoT buyers need a more cohesive decision-making structure to address their cybersecurity concerns. Most vendors blame siloed decision-making between IoT and cybersecurity teams for delays in IoT adoption on the buyer's end - 81 percent hold this view. Conversely, only 42% of buyers believe that decisions are siloed.

　　Based on these insights, McKinsey concludes that there will be a significant shift in IoT solution design philosophy, along with a full convergence of IoT and cybersecurity capabilities that will build user confidence in the IoT, accelerate IoT adoption and drive new value across its verticals to create a fully connected IoT environment. These market forces are further supported by more policy development at both the public and private levels. Technology leaders who master the required mindset will be able to influence revolutionary changes in consumer and enterprise applications.

　　When the industry is able to integrate IoT and cybersecurity, the payoff could be enormous. By 2030, the IoT vendor market is expected to reach a baseline scenario of approximately $500 billion. With cybersecurity issues fully managed, executives will spend an average of 20 to 40 percent more on the IoT. In addition, IoT vendors can unlock 5 to 10 percentage points of value from emerging use cases. This means that the total addressable market (TAM) value for IoT vendors across industries could reach $625 billion to $750 billion.

　　So, what's holding us back? Managing IoT cybersecurity is very challenging because converged solutions need to be vertical or use case specific and include layers across technology stacks. Success will depend on various stakeholders acknowledging the challenges, committing to innovation and agreeing on industry standards. Testing and validating solutions will also take time. In addition, there is an urgent need for industry talent with both IoT and cybersecurity expertise, and there is already a global shortage of cybersecurity talent. In addition, embedding IoT skills in cybersecurity is an emerging discipline.

　　However, there are reasons to be optimistic. Leaders in IoT and cybersecurity are increasingly aware of these challenges and are actively considering solutions. Top cloud providers (such as Amazon, Google, and Microsoft) have already enhanced their approach to IoT security. Semiconductor vendors (such as Intel and Qualcomm), whose products power critical IoT devices and networks, are now prioritizing the security of IoT architectures and hardware. Pure IoT technology providers (such as Cisco and Samsara) recognize the importance of security and offer unique IoT security products. Finally, a few companies (such as BlackBerry and Siemens) are at the intersection of cybersecurity and IoT and are well positioned to integrate enterprise cybersecurity solutions with IoT platforms.

　　For nearly a decade, McKinsey has been surveying companies and decision makers around the world on the topic of IoT and has been actively involved in discussions about its potential and challenges. The firm's experts seek to understand the transformative value of connecting the physical and digital worlds - the conduit for which is the Internet of Things. This work has repeatedly led it to conclude, a conclusion shared by many global technology leaders, that great value can be realized when broad societal benefits, utility and productivity are taken into account. McKinsey believes its full potential could be between $5.5 trillion and $12.6 trillion by 2030.

　　McKinsey has recently invested significant effort in understanding today's barriers and potential solutions to enable a truly seamless experience that will enable the next generation of the Internet of Things. Some of the conclusions are that security and trust have become increasingly prominent impediments, but solutions that bring together enterprise security and the IoT are still in their infancy. This prompts investigation into where the answer may lie at the intersection of cybersecurity and the IoT as a driver of IoT adoption. The findings on this issue are significant and in some cases surprising.

　　The Future of IoT: Seamless Industrial and Consumer Experiences

　　Imagine a seamless IoT experience of the future, incorporating different industries, technologies and use cases. The car is more than just a mode of transportation; it's a vehicle for a broader digital experience. You request a shared car through a portal that uses contactless facial recognition. The car drives itself to you and customizes the interior to your preferences, and its communication device seamlessly integrates with your digital account. On your way to work, the car syncs with your health tracker to determine what breakfast to order. While you're enjoying your meal, your digital assistant alerts the office to your arrival and adjusts your office temperature.

　　One day, turning this vision into reality will require overcoming several factors that are currently preventing faster adoption and growth of the Internet of Things; chief among them is cybersecurity risk. Only by seriously addressing this issue with a new, comprehensive approach will the market be able to maximize the value that this and many other advanced IoT use cases bring.

　　IoT Market Adoption and Key Drivers

　　IoT adoption has accelerated in recent years, moving from isolated IoT clusters of millions of interacting smart devices to a fully connected IoT environment. This shift is occurring across vertical and cross-industry scales. The IoT vendor market is expected to reach $300 billion by 2025, growing at a compound annual growth rate of 8% from 2020 to 2025 and 11% from 2025 to 2030.

　　The future IoT environment will consist of billions of connected devices that communicate through heterogeneous operating systems, networks and platforms, and increasingly through cloud-based data storage and cloud-native programming. This environment should enable a highly autonomous and continuous exchange of information so that designers and engineers of IoT solutions can create the seamless experience that IoT technology providers, integrators and customers have recently begun to advocate.

　　The ability to develop a seamless experience may spur further IoT adoption as it helps address critical factors such as confidentiality, connectivity performance, cybersecurity, installation, interoperability, privacy and technical performance. More than 90 percent of IoT solution providers and buyers surveyed in the McKinsey B2B IoT survey identified at least one of these issues as a key barrier to IoT adoption. Interoperability and cybersecurity took the top two spots. Interoperability is an essential element given the need for multiple connected systems; common standards across the IoT value chain will support it. Cybersecurity is equally important, but is a bigger challenge.

　　Key factors for a seamless IoT experience

　　A seamless Internet of Things (IoT) experience will encompass six aspects that span enterprise and consumer use cases:

　　Hyper-connected - Connectivity through multiple standards will be ubiquitous, connecting a vast array of devices and sensors that seamlessly share data.

　　Integrated - Integration within and between device technology stacks will be effortless (including minimal login efforts, self-managed devices and wireless patch updates) while using multiple connectivity standards, platforms and back-end systems.

　　Secure and reliable - Dynamic cybersecurity will enable a high level of trust when dealing with the multi-layered complexity of legacy systems and new solutions, and security at all layers with AI-based threat protection.

　　Intelligence - Devices and systems will have the intelligence (powered by AI and machine learning) to draw insights from data and make real-time decisions, enabling a leap from monitoring to automated implementation.

　　Mobile - devices and networks will require minimal maintenance, be battery efficient, and have personas (corporate or personal identities) to deliver the experience of the future.

　　Hyper-personalization - driven by other factors - will deliver personalized experiences across different platforms and scenarios (from home to office and everywhere in between).

　　The critical role of cybersecurity

　　Respondents from all industries identified cybersecurity deficiencies as a major barrier to IoT adoption (Table 1). Approximately 30% of participants ranked cybersecurity risk as their top concern. Of these respondents, 40% indicated that they would increase their IoT budgets and deployments by 25% or more if cybersecurity issues were addressed.

　　Cybersecurity risk increases exponentially due to the interconnected nature of IT and OT technologies in the IoT, especially in use cases involving critical data transfers or business-critical business process operations. According to McKinsey research in 2021, the number of connected IoT devices is growing at more than 10% annually, leading to higher vulnerability to cyber attacks, data breaches and mistrust According to the McKinsey B2B IoT Survey, IoT application software and human-machine interfaces are the most vulnerable layers of the IoT stack.

　　The frequency and severity of IoT-related cyber attacks are expected to increase Without effective IoT cybersecurity, this heightened risk could prevent organizations from moving IoT deployments from pilot (where risk is localized) to production (where risk is amplified due to scale).

　　Achieving a trusted level of IoT cybersecurity has been difficult so far. Most players in the field tend to view cybersecurity as a separate category of software that provides add-on solutions, rather than as a core component of the IoT design process. The interconnected nature of the IoT means that the approach must shift to a comprehensive approach that includes all five functions as defined by the National Institute of Standards and Technology: identifying risk, preventing attacks, detecting vulnerabilities, responding to attacks, and recovering from attacks.

　　Current IoT infrastructure may have security vulnerabilities throughout the value chain. For example, cybersecurity testing may be limited in scope during the design phase or conducted too late in the design process. As a result, security may not be adequately embedded, leading to potential vulnerabilities in the production phase. The upgradeability of IoT devices will be patch dependent and devices may struggle to keep up with the latest security regulations and certifications.

　　Ideally, one day, IoT-specific certifications and standards will ensure embedded security, enabling trust in IoT devices and empowering machines to operate more autonomously. Given the differences in requirements across use cases and vertical industries, the future of IoT cybersecurity is likely to combine traditional and custom tools with security-centric product design.

　　Traditionally, cybersecurity for enterprise IT has focused on confidentiality and integrity, while cybersecurity for operational technology has focused on availability. McKinsey's research shows that the IoT requires a more holistic approach. Because cybersecurity risks for the IoT span digital to physical security, it is critical to address the entire confidentiality, integrity and availability (CIA) framework. Six key outcomes enable a secure IoT environment: data privacy and access under confidentiality, reliability and compliance under integrity, and uptime and resiliency under availability.

　　Great Value: Differences by Industry

　　While basic cybersecurity functions are inherent to all IoT verticals and use cases, such as avoiding unauthorized access, the specific cybersecurity risks being addressed by each industry may vary by use case. For example, cybersecurity in healthcare remote patient monitoring needs to prioritize confidentiality and availability, while the most important cybersecurity outcome in self-driving cars is availability, as operational disruptions can lead to security risks. Contactless payments for financial services rely heavily on data integrity.

　　In the 2030 baseline scenario, the TAM value for IoT providers across industries is $500 billion. The four largest verticals - manufacturing and industrial, mobility and transportation, healthcare, and smart cities - account for more than 65 percent of the overall market.

　　Cybersecurity efforts can benefit all industries, but some are poised to capitalize on the greatest IoT value. The industries with the highest cyber risk also have the greatest value to unlock through improved cybersecurity practices. With cybersecurity risks effectively addressed, the manufacturing and industrial, healthcare, travel and transportation, and smart city sectors will have the highest additional spend on IoT adoption. This article focuses on the latter three verticals, as several McKinsey studies have discussed the industrial IoT According to the CIA's cybersecurity standards, each of these three sectors requires a different cybersecurity focus.

　　Source From: Mckinsey