The “Internet of Things” has been plagued by serious design-level security issues since the term was coined some two decades ago. One would hope that progress was at least being made given that there are now an estimated tens of billions these devices online and billions more are projected to be added each year. Unfortunately, a new report from Tripwire indicates that security is not keeping pace with this growth. The report finds that IoT security is a major issue at nearly every company; 99% of respondents say that their IoT devices pose security challenges, and over 75% report problems fitting these devices into their present security approach.
IoT security outpaced by device adoption
The survey consisted of 312 employees from a variety of industries throughout Europe and the United States. All respondents were security professionals or executives responsible for securing IoT devices at organizations ranging from about 100 to over 5,000 employees in size.
The headline item is that 99% of these respondents report some sort of challenge in making IoT security work at their organization, though there is some variety as to the specific types of challenges. The most common issue is, unsurprisingly, discovering and remediating vulnerabilities (66%). Among other common issues 60% struggle with tracking inventory of IoT devices on the network, and 58% have issues with validating compliance for security policies.
The challenge is not due to lack of care; 95% of respondents said that they are concerned with the organization’s IoT security posture, with 42% responding that they are “very concerned.” The problem seems to be rapid adoption of new devices that are largely not designed with security needs in mind. 78% of respondents say that IoT devices require a “different approach” that does not fit in with the organization’s existing security plans. 88% say that they require external help to secure these devices. Only 12% say that their current security teams have the skillset to handle IoT security; 27% say that they are still working on a plan to get there, and 9% say that they do not presently know how they will ultimately tackle this knowledge gap.
State of IoT security standards
The vast majority of organizations are following some sort of security standard or framework, and about three quarters of these have regular compliance audits. PCI and NST are the two frontrunners, with CIS adopted by about one-third of respondents and MITRE by about one-fifth. The larger a company is, the more likely it is to have compliance audits.
What is the answer to this seemingly entrenched IoT security issue? Most professionals are in favor of expanded Industrial Control Systems (ICS) security standards, something that has been proposed in terms of NIST standards for government devices with the IoT Cybersecurity Improvement Act of 2019. The professionals surveyed were about evenly mixed in wanting to see standards expanded to cover industrial and corporate IoT systems, with a smaller amount of support for consumer devices.
87% also say that existing IoT security guidelines put supply chain security at risk. 29% are “strongly” worried about this, 74% agree that the government needs to deliver consistent security guidelines for connected devices, and 70% say that they feel pressure from business leaders to connect everything to the internet. In spite of this seemingly common pressure, 99% of respondents say that they refuse requests to connect certain devices (43% say that this happens “often”).
Tim Erlin, vice president of product management and strategy at Tripwire, commented: “The industrial sector is facing a new set of challenges when it comes to securing a converged IT-OT environment. In the past, cybersecurity was focused on IT assets like servers and workstations, but the increased connectivity of systems requires that industrial security professionals expand their understanding of what’s in their environment. You can’t protect what you don’t know.”
Regulations and standards for IoT manufacturers
The general state of IoT security has been subpar for some time, to use as generous of a description as possible. Manufacturers are pressured to compete on cost and novelty, meaning that proper security gets pushed to the back of the priority list as they rush to bring products to market. At the consumer end, there tends to be a widespread perception (that extends to C-suites) that a compromised IoT device can’t really cause harm beyond whatever native functions it has. There is a general lack of appreciation for how these devices can be used as an entry point to move farther inside a network that they are connected to, or for the scope of sensitive data that they may be able to collect. For example, theoretical attacks that steal financial information have been developed for smart lights and internet-connected coffee machines.
The market is unlikely to fix itself, leaving federal-level legislation as the one realistic hope for improvement. Should the government eventually take up the bill that establishes NIST standards for devices used by federal agencies, it might pressure manufacturers to simply apply these same standards to products bound for the private market and the industrial sector as well. In the meantime, the increasing “connection of everything” to the internet combined with the long-term normalization of remote work will continue to put pressure on security professionals.