Security Experts:

Organizations Lack Confidence in Securing IoT, Survey Shows

Less than a fifth of professionals who responded to a recent poll say they are very confident in their ability to secure Internet of Things (IoT) and Industrial IoT (IIoT) devices. 

More than 4,200 professionals across industries and positions responded to poll questions during a webcast on May 30, but just 18% of them said they were feeling very confident that their organizations’ connected products, devices, or other "things" are secure.

Conducted by consulting giant Deloitte and industrial cybersecurity firm Dragos, the survey found that more than half of the respondents (51%) admitted to being somewhat confident, while 23% were uncertain or somewhat not confident. This could be the direct result of an overall lack of standardization across industries for the security of connected devices. 

When asked where they seek guidance related to the security-by-design of their organization, 41% of the respondents said they look to industry and professional organizations for that. 28% revealed they look first to regulatory bodies and agencies that set the standards, while 22% admitted to developing such practices internally. 

Only 28% of the respondents use an industry defined framework as input for requirements selection, while 41% use a custom set of product cybersecurity requirements for that. However, 30% of the respondents admitted to using no defined framework. 

Most of the respondents (81%) believe that information security is accountable for the securing of connected products in their organization. 

The increasing adoption of connected devices across industries has driven up the number of cyber-attacks, data breaches, and business disruption caused by unsecured Internet of IoT and IIoT devices. The issue is that many businesses are not aware of the depth and breadth of the risk exposures they face when adopting IoT.

IoT and IIoT offer a great deal of benefits, but they also create a large number of security risks, the most important of which are not having a security and privacy program and lacking ownership/governance to drive security and privacy. 

There are also risks associated with security not being incorporated into the product design and with insufficient security awareness and training for engineers and architects, in addition to a lack of IoT/IIoT and product security and privacy resources. 

Lack of sufficient monitoring, post-market/implementation security and privacy risk management, or visibility are also high risks associated with IoT environments. To these, the risk of identifying and treating risks of fielded and legacy products is added, along with inexperienced/immature incident response.

“Organizations need to think through this. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable,” Robert M. Lee, CEO at Dragos, commented.

To address these challenges, organizations should understand the current state of product security and develop a cyber-strategy, adopt security-by-design practices, ensure correct ownership of the process, establish dedicated teams and provide them with the necessary resources, and take full advantage of industry-available resources. 

“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind. Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority,” Deloitte Risk and Financial Advisory partner Sean Peasley said. 

Learn More About Securing IIoT at SecurityWeek's ICS Cyber Security Conference

view counter