Security Experts:

Connect with us

Hi, what are you looking for?



Third Party Ecosystems Make Industrial IoT the Perfect Storm of Risk and Reward

Organizations Must Understand Their Environments and React Immediately When Something is Amiss

Organizations Must Understand Their Environments and React Immediately When Something is Amiss

The risk created by the proliferation of industrial IoT (IIoT) is rising, thanks to the continued mismanagement of third-party involvement in sensitive industrial environments. New third-party smart sensors and devices, not to mention the services that accompany them, are not always under the purview of the hosting organization — opening the door for intentional and unintentional threats. 

So how do we address some of the security problems a third-party ecosystem presents?

The Third-Party Risk

To better understand the risks posed by third-party vendors, consider something basic like maintenance and support. Maintaining and supporting operational technology (OT) implies regular software updates and maintenance. This means that third-party service providers may have access to your company’s network diagrams, asset lists, personnel information and more. They likely even have admin credentials, sometimes with remote access, in order to do their job. 

But none of this ensures oversight. 

Your third-party maintenance and support service provider may sign in remotely, come in and out after hours, and bring in devices like thumb drives — to name just a few security headaches waiting to happen. If you or your service provider don’t have a clear risk management policy, these seemingly innocuous events can quickly turn into operational and business nightmares. 

If this sounds hypothetical, it’s not. Target was breached via its HVAC system during routine maintenance, Equifax was compromised after using third-party software. And in terms of critical infrastructures, the control rooms of U.S. electric utilities were breached via third-party credentials. 

As the Wall Street Journal reported last summer, “The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, ‘air-gapped’ or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.” 

It took just one careless third-party vendor to compromise a critical utility that could have caused widespread chaos if it were taken down. Fortunately, all it takes is some due diligence to mitigate this risk. 

Mitigating the Third-Party Ecosystem Risk

Start by understanding your exposure. What makes your company or organization an attractive target? Do all assets fall under the right standards, governance and monitoring processes? Do you have a view of all your third-party dependencies? If you can’t answer these questions, you already have a problem. If you can, you can move on to taking the right security steps. 

When you know the potential risks, you can prioritize which systems to protect based on the potential impact they could incur if compromised. This will also help you map out a plan for how to reach a more secure state down the road. 

Beyond asset control and management, focus on permissions and credentials. In OT environments, credentials are often set up without much security protection. There is often an intention to review these permissions, but it almost never happens. Sometimes those credentials remain valid months or years after they’re no longer in use, or even if the vendor is no longer in use.

Also, consider the devices and applications vendors could bring onto your network, and develop a control policy or deny them access entirely. Vendors often need to install applications for testing, or to handle specific problems. In some cases, vendors may perform job functions using unapproved applications and devices, which may call on insecure protocols, or use inadequate security controls.  

Ultimately, it all comes down to clear oversight and control. OT assets, particularly in critical infrastructure, can lead to a lot of damage if compromised. No system or process is entirely secure, but you can make sure to understand your environment and react immediately when something is amiss.

Learn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.