Every IT security professional by now knows that the Internet of Things (IoT) phenomenon is going to give rise to a host of IT security issues. What many of them don’t appreciate is just how big an issue IoT security has already become.
A report published this week by Positive Technologies, a provider of vulnerability and compliance assessment tools, determines there were 197 new vulnerabilities disclosed by major manufacturers disclosed in 2017. That compare to 115 discloses in 2016, representing a 71 percent increase. More importantly, the report notes that more than half (61%) of the newly reported vulnerabilities are of critical and high severity. Just under a third (31%) of vulnerabilities disclosed were flaws in SCADA/HMI/DCS devices, while 28 percent were found in industrial network equipment. The most common types of vulnerabilities were involved remote code execution (24%), information disclosure (17%) and buffer overflow (12%).
The leaders in terms of vulnerability disclosures for the past year Schneider Electric and Siemens top the list. But the report also notes that security flaw disclosures in industrial network equipment manufactured by Moxa increased 100 percent year over year.The real issue when it comes to IoT security is that cybersecurity professionals are once again chasing after an emerging class of technologies after they have been deployed in production.Click To Tweet
The largest number of industrial control systems (ICS) attached to the Internet are physically located in the U.S., Germany, China, France, and Canada. But it’s already clear IoT security issues now involve devices spanning the globe.
The real issue when it comes to IoT security is that cybersecurity professionals are once again chasing after an emerging class of technologies after they have been deployed in production. ICS platforms have been around for decades. But it’s only been recently that many of them have been hooked up to the Internet. Unfortunately, the decision to attach something to the Internet all too often occurs without any consultation with IT security teams.
Rather than waiting to discover these issues IT security teams would be well advised to assume elements of the organization are attaching critical systems to the Internet without their knowledge. Based on that assumption, it then behooves the IT security team to go looking for those systems. The operations team that connected those devices and systems to the Internet often do not report the fact that they hooked something up until after a security issue raises its ugly head. Fortunately, there is legislation moving through the halls of Congress to require organizations to factor cybersecurity into their IoT projects.
Of course, most IT security teams are already overwhelmed combatting the number of threats traditional IT applications and systems already face. But in terms of criticality to a business, it’s worth remembering ICS platforms affect, for example, core manufacturing processes. A security breach involving an ICS platform could easily wind up costing millions of dollars. As noted in the report, Maersk, Nissan and Renault already have first hand experience dealing with just that issue. In fact, IoT is a major part of the reason why the World Economic Forum (WEF) now ranks IT security as the third largest threat to IT security.
Naturally, IoT security involves way more than ICS platforms. Everything from cameras to toys are being hijacked to create armies of bots to launch massive distributed denial of service (DDoS) attacks against specific targets. But as is often the case there are some platforms that are more critical than others. IT security teams are now in a race to discover where those platforms are before anybody with much more malevolent intentions finds them first.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.