A pair of reports assessing the overall cybersecurity of the operational technology (OT) used in various classes of embedded systems suggests that cybersecurity professionals will soon have their hands full remediating any number of potential vulnerabilities.
At a time when an Internet of Things (IoT) phenomenon is seeing more of these systems than ever connected to the Internet, a global survey of 370 managers conducted by Bloor Research on behalf of TÜV Rheinland, a provider of cybersecurity testing services, finds 40 percent of respondents admit they had never assessed the risks posed by a potential cyberattacks on their OT systems. In fact, 34 percent of survey respondents admit they do not know whether their own company has ever investigated these risks. In addition, only one in five companies has adjusted its cybersecurity strategy to include OT systems.Recent survey: only one in five companies has adjusted its cybersecurity strategy to include the operational technology in embedded systems. Click To Tweet
A similar survey of 950 IT and business leaders published by Gemalto, a provider of biometrics and encryptions software and hardware designed for OT environments, finds that only roughly half of the survey respondents (48%) think their organization is even capable of detecting a breach of an IoT system.
On the plus side, nearly three-quarters (71%) say they encrypt their data and have implemented either passwords (66%) or two-factor authentication (38%). Just under a quarter (23%) are hopeful blockchain technologies will play a significant role in IoT cybersecurity. Originally developed for cyber-currencies such as Bitcoin, blockchain technologies create an immutable database that could, for example, keep track of whenever an embedded system has been accessed.
A total of 62 percent of survey respondents, however, say IoT security clearly needs to improve. The top three concerns are a lack of privacy because of connected devices (54%), followed closely by unauthorized parties such as hackers controlling devices (51%) and lack of control over personal data (50%).
Respondents to the Gemalto survey also appear to be calling for more government intervention. A full 95 percent say there needs to be more uniform government regulations when it comes to applying cybersecurity to IoT, especially when it comes to data privacy (38%) and the collection of large amounts of data (34%).'Once an IoT project goes live, cybersecurity professionals have to defend an attack surface that is much larger than a traditional IT environment.' ~@MVizard Click To Tweet
Most IoT projects are still in the pilot stage, so there is still an opportunity for cybersecurity teams to get ahead of the inherent weaknesses in many of these systems. But once an IoT project goes live, cybersecurity professionals will soon find themselves trying to defend an attack surface that is several orders of magnitude larger than a traditional IT environment. To make matter more complex, it’s not clear within most organizations who owns these IoT projects. The teams that built and deployed OT systems tend to jealously guard them. Many IT organizations, however, tend to view anything connected to a network as being within their domain. Cybersecurity professionals if they want to succeed will need to find a way to navigate these two fiefdoms.
Of course, there may have to be a significant breach before all parties involve truly appreciate the importance of properly funding IoT cybersecurity. In the meantime, cybersecurity professionals would be well-advised to start preparing now for that all but inevitable forthcoming crisis.
Concerned about securing your devices?
Barracuda offers highly secure, ultra-small and ruggedized devices for advanced network security, encrypted communications, and cost-effective connectivity, fully integrated into the Barracuda Firewall Control Center. Get your free trial here.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.