Security Experts:

Industry is Not Prepared for the IIoT Attacks that Have Already Begun

Industrial Internet of Things (IIoT) is an essential part of business transformation and the Industry 4.0 revolution. Its use is burgeoning, with more than 7 billion devices in use worldwide. This is expected to grow to more 20 billion by 2025 -- and does not include phones, tablets or laptops. It is a journey just beginning, and nobody yet knows the destination or route.

Cybersecurity complications are expected, but the most common perception is that so far this has been limited to the rise of massive DDoS botnets able to deliver huge attacks -- like Mirai -- from thousands of compromised IoT devices. A new survey now shows that direct cyber-attacks against IIoT have already started, and that DDoS is not a primary concern to security teams.

The survey, conducted by Vanson Bourne for Irdeto, questioned 700 security decision makers across Connected Health, Connected Transport and Connected Manufacturing, and the IT and technology firms that manufacture devices. Data was gathered in March and April 2019 from China, Germany, Japan, the UK and the U.S.

Eighty percent of these organizations experienced a cyber-attack against their IoT over the last 12 months. The highest rate was in the UK at 86% (three other regions had attacks against more than 80% of respondents), with Japan at the relatively low 60%. Within the industry verticals examined, 82% of healthcare organizations, 79% of manufacturing and production organizations, and 77% of connected transport organizations have experienced an attack.

IIoT Security Conference

While attacks against IIoT have already started, organizations have little confidence in the immediate future. Globally, 83% of organizations are concerned about their IoT systems suffering a future cyber-attack (with 32% being 'very' concerned). Concern is highest in the UK (91%), with the U.S. at 87%. Japan and China show the least concern at 76% and 77% respectively.

Coupled with these concerns, there is little confidence in the existing device security. Globally, 33% of user organizations believe that device security could be improved to a great extent. Only 2% felt that security could not be improved. Even among the IoT manufacturers, there is little confidence. Forty-one percent of the IoT device manufacturers feel their own device security could be improved to a great extent. This was highest in Germany (49%) and lowest in Japan (32%).

The degree of concern differs between the verticals. Connected transport is most concerned about compromised customer data (35%) followed by loss of customers and operational downtime (both at 15%). Healthcare is most concerned about compromised customer data (39%) followed by compromised end-user safety (20%). Manufacturing and production is primarily concerned with compromised end-user safety (21%) followed by operational downtime (19%).

None of these figures are surprising given the nature of the verticals -- except, perhaps, that healthcare is more worried about loss of data than end-user safety (presumably patients). This may reflect the success and effect of HIPAA.

The average cost of an IoT security incident has been relatively low in cyber breach terms -- just $330,602. It is highest in connected transport, and lowest in manufacturing and production. This surprises Irdeto. "Itís possible that these organizations may not be taking into account all of the costs associated with a cyberattack, including lost business, costs to correct any vulnerabilities that led to the attack, etc," it writes. "It is also possible that with IoT proliferation in these industries being in its relative infancy, the current cost of cyberattacks on these devices is not as catastrophic as in other parts of the business. However, if this is the case, the costs will surely skyrocket as IoT devices become more abundant and connectivity continues to increase throughout the business."

It is fair to say that as IoT becomes more deeply embedded in manufacturing -- especially in the operational side -- the cost of a serious attack could increase dramatically. When a variant of WannaCry got into the OT network of the Taiwanese TSMC chip fabricator in 2018, it resulted in costs of around $170 million.

The Irdeto survey demonstrates that direct cyber-attacks against IIoT have already started, and that industry is not yet well prepared. In fact, Irdeto found only one promising response: 99% of the respondents agree that a security solution should be an enabler of new business models, and not just a cost. It took IT security many years to come to the same position. It demonstrates, says Irdeto, that "The previous mindset of security as an afterthought is changing, and one of the most promising results of the study found that today's organizations are thinking even more strategically about security."

Related: Flaws in Moxa IIoT Product Expose ICS to Remote Attacks 

Related: M2M Protocols Expose Industrial Systems to Attacks 

Related: Securing Industrial IoT in the Modern World 

Related: Why it's So Hard to Implement IoT Security

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.