Barracuda Networks recently published a study on IoT/OT security, and similar to what Viakoo hears when talking with prospects it validates there is a giant gap between the threats from vulnerable IoT systems being breached and an organization’s ability to stop it. I’d encourage you to check it out here. While this study provides a good understanding of where organizations struggle with IoT security, there is one underlying root cause to these struggles – the reality that IoT devices and systems operate at a scale way beyond any other form of digital technology within an organization. To solve IoT security means addressing the scale issue – both in the sheer number of device and the physical sprawl of them geographically.
Key findings from Barracuda included:
● Barracuda research finds organizations are struggling to protect operational technology and getting breached as a result
● 94% of organizations surveyed have experienced a security incident in the last year
● 93% of organizations surveyed have failed IoT/OT security projects
● Organizations are hit the worst when security updates are not automatic
Let’s start with the last point (one many security professionals already know); keeping IoT/OT devices patched and secured is extremely difficult, and because IoT/OT devices cannot use agent-based patching solutions until recently only manual methods could be used. That’s changed – Viakoo and its competitors provide proven agentless automated IoT firmware patching/update solutions that are designed to work with the sprawled-out and scaled-out nature of IoT. If you’re still manually updating IoT devices, run don’t walk to sign up for a Viakoo demo – it turns out that’s the quickest and easiest way to reduce your IoT attack surface.
While the number of failed IoT/OT security projects is alarming (93%), the good news is attempts are being made and learned from to improve IoT/OT security. As highlighted in the Barracuda study, many organizations face implementation challenges including basic cyber hygiene – even failed projects help to show where an organizations IoT/OT security barriers exist, especially when IoT security must be performed at a scale 5x to 20x of IT security projects. There is a large divide between IT security and IoT/OT security, and it will take both cycles of learning (by doing) and deploying new technologies to close that gap. Given the significant differences between IT security and IoT/OT security, organizations will have to learn from these efforts to become more mature in how to approach IoT/OT security at scale.
The good news is there are more industry-level efforts to deploy effective IoT/OT security across companies (for example the Real Estate Cyber Consortium https://reccinc.org/) which will help accelerate security efforts across multiple companies. Likewise there is more focus on updating both internal and external compliance requirements so that IoT/OT security is part of the audit and compliance process. By collaborating together, organizations will more quickly find and deploy the best practices on IoT security at scale, and will make operating at scale more efficient for all organizations.
Manufacturing and healthcare (and other sectors like transportation, logistics, municipalities, etc) are examples of lines of business that manage complex IoT/OT systems at scale, but often lack IT or security skills. Closing that skill gap is critically important whether by closer coordination with IT, or hiring people with IT skillsets into the line of business organization. Adding new cyber skills to a workforce already accustomed to operating at IoT scale is another way to accelerate reducing organizational risk.
Embracing new technology is required at address the scale issue with IoT security – older IT-based security and patching solutions were never designed to operate in the agentless and high scale area of IoT security. IoT/OT security leaders have the opportunity to leapfrog older security approaches when it comes to IoT/OT security – specifically in moving to a zero trust architecture and deploying automated firmware patching solutions.
Without question the urgency of addressing IoT/OT security has increased, and emphasized by Barracuda finding that 94% of organizations have experienced a security incident in the past year. Pending SEC mandates on cybersecurity disclosures, geopolitical uncertainty, and a shift by threat actors towards exploiting IoT/OT vulnerabilities makes it almost impossible for organizations to not up their game on security. Just this month news reports on the hacker group Predatory Sparrow (https://www.bbc.com/news/technology-62072480) highlight these risks – not only did the cyber criminals start a fire within a factory, they took control of IoT systems like the cameras to observe and control events. The nature of IoT/OT security threats is turning from being a nuisance to being deadly.
So while there may be a lot of raised blood pressure after reading Barracuda’s report on IoT security, the good news is that after being ignored for many years IoT security is rapidly advancing. Automated firmware patching, extending zero trust, and ensuring password policies are enforced all can now be accomplished at the scale required for IoT. Whether at Black Hat, via Zoom demos, or by starting an onsite proof-of-concept, now is the best time to implement solutions to shrink your attack surface and organizational risk.