Industry needs to plug IoT security holes or face vertical meltdown

PSA Certified’s 2022 Security Report reveals significant gaps in IoT security provision, with only 31% of technology decision-makers feeling ‘very satisfied’ with their level of security expertise in-house. So, what are these gaps in IoT security deployments? And what do organizations need to do to be better prepared?

IDGConnect_IoT_security_techindustry_shutterstock_1968956278_1200x700
Shutterstock

It comes as no surprise that the Russian invasion of Ukraine has triggered increased cyber activity in Europe and the US, with suspected Russian state-backed hackers looking for opportunities to destabilise western economies and critical infrastructures. It’s even prompted US President Biden to recently release a statement outlining the risks and what businesses need to do to try and counter any attack.  

As a Sophos Russia-Ukraine cyberattack page claims, this is all sound advice but the fear is that despite years of guidance and warnings, so many businesses still come up short on security. As Sophos reveals, “every day we assist companies who have only protected some of their assets, keep few if any, logs, are months if not years out of date on patching their systems and have open remote access to the internet with single-factor authentication.”

While for many enterprises this is fixable, there are growing fears that for many verticals it represents a more complex challenge, particularly with the internet of things (IoT). With vertical industries expected to spend over $188 billion on IoT devices and services this year, the prospect of cyber breaches and disruption to industry is very real.

According to a PSA Certified 2022 Security Report, there are significant gaps in IoT security provision, with technology decision-makers citing a lack of internal expertise and cost as inhibiting them from implementing stronger security. Only 31% of technology decision-makers feel ‘very satisfied’ with their level of security expertise in-house, while 59% still admit that internal validation is relied upon to certify security implementations.

So, what are these gaps in IoT security deployments? According to Chris Wilder, research director and senior analyst for cybersecurity at TAG Cyber LLC, the main gaps he is seeing are at the intersection between IT and OT systems, specifically with SCADA, sensors, meters, and so on.

“With Zero Trust gaining significant adoption, i.e., no more security perimeters, enterprises must ensure all their endpoints are secure, updated, patched, accounted for, and managed,” says Wilder. “Sadly, most organisations do not have the talent, skills, or awareness of the problems, so ignorance is a major factor.”

Wilder adds that the verticals most at risk are manufacturing and energy utilities, due to their long legacy, resistance to change, and the skills gap.

“Utilities are very hesitant to change and adopt new technologies,” he says. “Smart meters create a security nightmare scenario for utilities. As for manufacturing organisations, many don’t even know what and where IoT devices are in their ecosystem. So, the question for many is, ‘where do we start?’”

The problem is exacerbated by a lack of in-house security expertise. Wilder adds that as a result many organisations are turning to endpoint security (EPS) providers like Tanium, VMware’s Carbon Black, Microsoft, and others, but the challenge is the gap between IoT and OT because that is where the biggest security gaps occur.

The frustration is that this has been a long time coming. IoT security concerns and shortages in cybersecurity skills have been well documented over the past few years For David Maidment, senior director, secure device ecosystem at Arm (A PSA Certified co-founder), there is now an urgency needed but the industry has to realise that verticals in particular need more help in overcoming the barriers to entry.

“The success of the IoT depends on a foundation of trusted devices and the IoT will not scale without security,” says Maidment. “As an industry, we need to shift perceptions that you need a substantial security department in order to have secure products. Instead, you can source trusted components and benefit from certifications that offer independently lab-validated assurance of IoT security.”

Maidment adds that a myriad of standards, regulations, and baseline requirements also make it difficult for businesses to know what best practice looks like.

“While we may have come a long way, the need to demystify and defragment the regulatory landscape and provide a common framework around IoT security is critical to our connected future, he says.”

But this is also about culture, about seeing threats early and preparing for the worst. If it doesn’t happen great but as Wilder at TAG Cyber LLC says, “those in critical infrastructure like utilities, cannot keep their heads in the sand anymore. They must invest in technologies and services to help mitigate IoT risk. Traditional industries like manufacturing and utilities cannot hire their way out of the skills gap. They must invest in people, products, and preparedness. Until these investments are made, IoT security will remain a significant challenge for these companies and the customers they serve.”

Maidment agrees. He says that with critical infrastructure reliant on IoT and medical systems, smart cities, and connected homes powered by it, the smallest weakness can “set off a security domino effect” which is why the security properties of these devices cannot be optional.

So, what do organizations need to do to be better prepared?

“The list is long and exhaustive,” says Wilder. “Firstly, understand your attack vectors and vulnerabilities. Establish periodic protocols to scan and identify not just the network, but all endpoints and systems. Most attacks come from the inside so having the situational awareness of all assets is key. Secondly, work with a security operations provider like Cyrebro or Microsoft Azure or XDR providers like Cybereason, Sentential One, or eSentire to monitor your endpoints and IoT devices. Thirdly, establish flight guides and playbooks for dealing with a cybersecurity incident. For example, most organizations do not know how to effectively manage a ransomware attack and many come through unsecure IoT devices.”

Research firm Gartner predicts that by 2025, 30% of critical infrastructure organisations will experience a security breach, with governments in many countries now realising their national critical infrastructure has been “an undeclared battlefield for decades.” The heightened tensions following the Russian invasion of Ukraine have only accelerated the problem. There needs to be a fix, and quick.

“Ultimately, we need to look at embedding the value of security correctly across the entire global ecosystem and that requires collective action and collaboration from Government, industry, business, and beyond,” says Maidment. “We are only as strong as our biggest risk area, and as cyber risk grows, no one party can be held responsible for delivering a more secure IoT. Instead, collaborating and agreeing on common concepts is what will enable the ecosystem to align on how to fix the security holes that exist across the supply chain.”