As we ride the wave of digitisation and become increasingly dependent on technology, security becomes more and more important. Recent high-profile security breaches have highlighted our vulnerability and as a result a lot of work addressing security has been funded. However, is this work focused on the right areas and threats? From a technical point of view, high levels of security can be achieved, however, the real issue is more a matter of adoption of security solutions by CPS/IoT actors. There a number of different challenges that need to be addressed:
- Development costs and business model – electronics & software-based systems are expected to be very cheap (cost by function is decreasing rapidly for systems). However, the security solution usually needs to be tailored to the platform/function/system, which raises the development and validation costs without increasing the customer added value.
- Limited performance for CPS and IoT – e.g. in terms of bandwidth, computing performance, energy requirements available that limits the security-related counter measures that can be deployed.
- Usability and User acceptance – increasing the security (e.g., authentication, confidentiality, privacy) usually decreases usability and has an impact on user acceptance. Customer training and awareness is needed which is, firstly not always possible, and may decrease the attractiveness of the system in comparison to other non-secure solutions.
- Competences – The design and deployment of security counter measures requires a combination of competences with respect to security engineering on one side, and the product on the other side. There is a lack of qualified engineers who can address these issues.
So, in addition to performing research on security, there is also a need to invest in and train security engineers to think in terms of business, opportunities and ROI. There is also a need to educate high-level management of traditional industrial sectors to make them more aware about risks and opportunities related to security specifically, and ICT in general. Until this happens we cannot be confident that the products we are buying are truly secure, but are we prepared to pay the price for good security?