The Internet of Things (IoT) embodies great promise and risk. On the one hand, ordinary users view IoT as a means of streamlining their activities across billions of “smart” devices. They hope such connectivity will ultimately translate into better and easier lives. On the other hand, IoT devices aren’t always designed with security in mind. This lack of emphasis on security explains what happened to Dyn in October 2016. It also gets to the root of why 70 percent of IT experts told Tripwire at Black Hat USA 2016 that their organization wasn’t prepared for IoT-related threats.
Not all IoT devices are created the same, however. Some serve industrial organizations in the energy, utilities, government, healthcare, and finance sectors. These settings integrate so-called Industrial Internet of Things (IIoT) devices into complex IT and OT environments that are subject to unique digital threats and very serious, high-impact consequences.
Robert Westervelt, security research manager at IDC, elaborates on these types of risks:
“As industrial companies pursue IIoT, it’s important to understand the new threats that can impact critical operations. Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes. The concern for a cyber attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example – cyber attacks could disrupt power supply for communities and potentially have impact to life and safety.”
Threats to life and safety are no laughing matter. Which begs the question: are critical infrastructure entities prepared for the security challenges of IIoT?
To find out, Tripwire partnered with Dimensional Research in January 2017 and asked 403 IT professionals who hold some responsibility for digital security as a significant part of their job about the extent to which their organizations are prepared to face IIoT-related threats in 2017.
The survey’s findings are concerning.
- When asked about the coming year, 96 percent of respondents said they expect to see an increase in security attacks on IIoT
- Meanwhile, over half (51 percent) said they’re not prepared for malicious campaigns that in some way exploit or misuse the Industrial Internet of Things
- This is in spite of the fact that 64 percent of participants already recognized a need for their organizations to protect against such attacks
David Meltzer, chief technology officer at Tripwire, weighs in on the matter:
“Industry professionals know that the Industrial Internet of Things security is a problem today. More than half of the respondents said they don’t feel prepared to detect and stop cyber attacks against IioT. There are only two ways this scenario plays out: Either we change our level of preparation or we experience the realization of these risks. The reality is that cyber attacks in the industrial space can have significant consequences in terms of safety and the availability of critical operations.”
There is even more catching up to do on security when you consider the continued growth of IIoT. 90 percent of survey respondents said they expect their organizations’ deployment of IIoT to increase. Such growth will only expand these entities’ attack surface.
Meltzer feels organizations need IT and OT to converge if they are to adequately protect themselves against IIoT-borne threats:
“The Industrial Internet of Things ultimately delivers value to organizations, and that’s why we’re seeing an increase in deployments. Security can’t be an industry of ‘no’ in the face of innovation, and businesses can’t be effective without addressing risks. The apparent contradiction of known risks and continued deployment demonstrates that security and operations need to coordinate on these issues. While IIoT may bring new challenges and risks, the fundamentals of security still apply. Organizations don’t need to find new security controls, rather they need to figure out how to apply security best practices in new environments.”
Then and only then can industrial organizations lift their heads and look forward to benefiting from IIoT. For more information on this promising outlook, please read Belden’s resource here.