The results of a recent survey querying IT security pros about the threats posed by devices tethered to the internet were practically unanimous: 96 percent of them said they expect to see an increase in security attacks on IoT.
While the study by Tripwire recognised the enormous promise of these devices in facilitating tasks and bringing convenience, ultimately simplifying life for millions, IoT devices also hold a risk as they are not always built with security in mind. In fact, nearly three-quarters of the IT security experts Tripwire polled at Black Hat USA 2016 said their organisation wasn't prepared for IoT-related threats.
But the threats are not divided evenly. Verticals such as energy, utilities, government, health care and finance face higher threats from digital attack, which could result in damage not just to network systems but to infrastructure, the study determined. The devices connecting with the internet in these cases, the so-called Industrial Internet of Things (IIoT), are particularly susceptible to serious consequences.
“As industrial companies pursue IIoT, it's important to understand the new threats that can impact critical operations," Robert Westervelt, security research manager at IDC, told Tripwire. "Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes. The concern for a cyber-attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example – cyber-attacks could disrupt power supply for communities and potentially have impact to life and safety.”
The survey sought to determine whether critical infrastructure entities are prepared for the security challenges of IIoT. To find out, Tripwire partnered with Dimensional Research in January 2017 and asked 403 IT professionals about the extent to which their organisations are prepared to face IIoT-related threats in 2017.
Some of the study's results were troubling:
- 96 percent of respondents said they expect to see an increase in security attacks on IIoT in the coming year.
- 51 percent said they're not prepared for malicious campaigns that in some way exploit or misuse the Industrial Internet of Things.
“Industry professionals know that the Industrial Internet of Things security is a problem today," David Meltzer, chief technology officer at Tripwire, said in a statement. "More than half of the respondents said they don't feel prepared to detect and stop cyber-attacks against IIoT."
There are only two ways this scenario plays out, he said. "Either we change our level of preparation or we experience the realisation of these risks. The reality is that cyber-attacks in the industrial space can have significant consequences in terms of safety and the availability of critical operations.”
And the challenge for IT security pros charged with protecting enterprise networks will only increase as their company's use of IIoT devices increases, he added.
Meltzer said he believes organisations need IT and OT to converge if they are to adequately protect themselves against IIoT-borne threats:
“The Industrial Internet of Things ultimately delivers value to organisations, and that's why we're seeing an increase in deployments," he stated. Acknowledging that today's companies cannot block innovation with restrictions on the use of devices, he stressed the need to address risk. "The apparent contradiction of known risks and continued deployment demonstrates that security and operations need to coordinate on these issues."
While IIoT may bring new challenges and risks, the fundamentals of security still apply, he pointed out. "Organisations don't need to find new security controls, rather they need to figure out how to apply security best practices in new environments.”