The discovery that criminals or nation states are using Internet of Things devices — network-attached printers, digital video cameras, industrial switches and sensors as well as smart phones — as attack tools has been known for some time.
Yet a vendor survey of 137 people knowledgeable about and/or responsible for their organization’s IoT-related security practices, suggests many organizations don’t see the threat seriously enough.
The survey, paid for by security vendor Trustwave, found that one-third of respondents considered their IoT security strategy as either “somewhat important” or “not important.” By comparison, 36 per cent considered their IoT security strategy “important” with another 28 per cent calling it “very important.”
“Given that many organizations have not yet established a business case for IoT, such as a solid return-on-investment analysis, it may be that security for IoT has been relegated to a much lower priority than it should be,” says the report on IoT readiness (registration required).
Another reason may be that over one-third (38 per cent) said IoT isn’t relevant to their organizations.
The survey also notes that 57 per cent of respondents said security concerns are a barrier to the adoption of IoT devices in their organization, with another 25 per cent saying lack of standards is also a barrier.
Still, only 10 per cent of those surveyed were “very” confident that they can detect and protect against IoT-related security incidents, while 62 per cent are only “somewhat” or “not” confident that they can do so.
However, the report argues organizations have to be prepared for the impact of IoT devices on corporate security. Gartner has forecast that by 2020 there will be 20 billion IoT devices around the world, up from about 8.5 billion now.
In 2015, IoT malware was successful in taking down a portion of an electrical grid in Ukraine, leaving 230,000 customers without power, the report notes. In October 2016, the Mirai botnet attacked Dyn servers, involving approximately 360,000 devices and taking down many high-traffic websites.
Depending on the device, the availability of patches for IoT equipment ranges from non-existent to good. Like dealing with corporate-owned software, the speed at which IoT patches are installed also varies widely. Just under half (48 per cent) of respondents said it takes 48 hours or more to apply an IoT patch in their organization. A quarter said an IoT patch can be installed within 24 hours, while seven per cent said it would be installed within an hour of release.
“Decision makers generally place a low emphasis on IoT security, yet a substantial proportion of organizations are anticipating severe IoT security problems,” the report concludes.
Ideally, it says, manufacturers of devices should build security in from the start, including Web apps, mobile apps, servers and associated APIs that interact with IoT products. Users should be forced to change any default passwords before they use a product.
As for security teams, they should do the following:
• Regularly scan and inventory the network to identify any nontraditional devices, which includes IoT;
• Research and vet IoT vendors before making new purchases. This includes studying their history and accessing security reports (which should be available on an ongoing basis);
• Use vendor risk management and security testing, which helps reveal vulnerabilities and weaknesses;
• Change the default passwords on all devices to unique, complex passwords to reduce risk of compromise;
• Implement an agile methodology for quickly patching IoT vulnerabilities to ensure that any attacks leveraging flawed devices are prevented or minimized;
• Perform continual and proactive threat hunting to search for advanced persistent threats that may have already crept into the network via vulnerable IoT devices;
• Restrict partner access to your network where practical to minimize the potential for IoT threats from entering.
(Editor’s note: This story has been corrected from the original. The number of people surveyed was 137, not 17,000.)